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Abstract 

In the last few years, theoretical study of quantum systems serving as computational 
devices has achieved tremendous progress. We now have strong theoretical evidence 
that quantum computers, if built, might he used as a dramatically powerful computa- 
tional tool, capable of performing tasks which seem intractable for classical computers. 
This review is about to tell the story of theoretical quantum computation. I left out the 
developing topic of experimental realizations of the model, and neglected other closely 
related topics which are quantum information and quantum communication. As a re- 
sult of narrowing the scope of this paper, I hope it has gained the benefit of being an 
almost self contained introduction to the exciting field of quantum computation. 

The review begins with background on theoretical computer science, Turing ma- 
chines and Boolean circuits. In light of these models, I define quantum computers, 
and discuss the issue of universal quantum gates. Quantum algorithms, including 
Shor's factorization algorithm and Grover's algorithm for searching databases, are ex- 
plained. I will devote much attention to understanding what the origins of the quantum 
computational power are, and what the limits of this power are. Finally, I describe 
the recent theoretical results which show that quantum computers maintain their com- 
plexity power even in the presence of noise, inaccuracies and finite precision. This 
question cannot be separated from that of quantum complexity, because any realistic 
model will inevitably be subject to such inaccuracies. I tried to put all results in their 
context, asking what the implications to other issues in computer science and physics 
are. In the end of this review I make these connections explicit, discussing the possible 
implications of quantum computation on fundamental physical questions, such as the 
transition from quantum to classical physics. 



1 Overview 

Since ancient times, humanity has been seeking tools to help us perform tasks which 
involve calculations. Such are computing the area of a land, computing the stresses on 

*To appear in Annual Reviews of Computational Physics VI, Edited by Dietrich Staufler, World Scien- 
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rods in bridges, or finding the shortest route from one place to another. A common feature 
of all these tasks is their structure: 



Input > Computation > Output 

The computation part of the process is inevitably performed by a dynamical physical 
system, evolving in time. In this sense, the question of what can be computed, is intermin- 
gled with the physical question of which systems can be physically realized. If one wants 
to perform a certain computation task, one should seek the appropriate physical system, 
such that the evolution in time of the system corresponds to the desired computation pro- 
cess. If such a system is initialized according to the input, its final state will correspond 
to the desired output. 

A very nice such example was invented by Gaudi, a great Spanish architect, who lived 
around the turn of the century. His design of the holy family church, (la sagrada familia) 
in Barcelona is a masterpiece of art, and is still in the process of building, after almost 
a hundred years. The church resembles a sand palace, with a tremendous complexity of 
delicate thin but tall towers and arcs. Since the plan of the church was so complicated, 
towers and arcs emerging from unexpected places, leaning on other arcs and towers, it is 
practically impossible to solve the set of equations which corresponds to the requirement 
of equilibrium in this complex. Instead of solving this impossible task, Gaudi thought of 
the following ingenious idea: For each arc he desired in his complex, he took a rope, of 
length proportional to the length of the arc. He tied the edges of one rope to the middle of 
some other rope, or where the arcs were supposed to lean on each other. Then he just tied 
the edges of the ropes corresponding to the lowest arcs, to the ceiling. All the computation 
was instantaneously done by gravity! The set of arcs arranged itself such that the whole 
complex is in equilibrium, but upside down. Everything was there, the angles between 
the different arcs, the radii of the arcs. Putting a mirror under the whole thing, he could 



simply see the design of the whole church! [ 102 ] 



Many examples of analog computers exist, which were invented to solve one compli- 
cated task. Such are the differential analyzer invented by Lord Kelvin in 1870| 12d| , which 



uses friction, wheels, and pressure to draw the solution of an input differential equations. 



The spaghetti sort is another example, and there are many more [194]. Are these systems 
"computers"? We do not want to construct and build a completely different machine for 
each task that we have to compute. We would rather have a general purpose machine, 
which is "universal". A mathematical model for a "universal" computer was defined long 



before the invention of computers and is called the Turing machine[18J]. Let me describe 
this model briefly. A Turing machine consists of an infinite tape, a head that reads and 
writes on the tape, a machine with finitely many possible states, and a transition function 
5. Given what the head reads at time t, and the machine's state at time t, 6 determines 
what the head will write, to which direction it will move and what will be the new ma- 
chine's state at time t + 1. The Turing machine model seems to capture the entire concept 
of computability, according to the following thesis] 62]: 
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Church Turing Thesis: A Turing machine can compute any function com- 
putable by a reasonable physical device 



What does "reasonable physical device" mean? This thesis is a physical statement, 
and as such it cannot be proven. But one knows a physically unreasonable device when 
one sees it. Up till now there are no candidates for counterexamples to this thesis (but see 
Ref. [|103|| ). All physical systems, (including quantum systems), seem to have a simulation 
by a Turing Machine. 

It is an astonishing fact that there are families of functions which cannot be computed. 
In fact, most of the functions cannot be computed. There are trivial reasons for this: There 
are more functions than there are ways to compute them. The reason for this is that the 
set of Turing machines is countable, where as the set of families of functions is not. In spite 
of the simplicity of this argument (which can be formalized using the diagonal argument) 
this observation came as a complete surprise in the 1930's when it was first discovered. 
The subject of computability of functions is a cornerstone in computational complexity. 
However, in the theory of computation, we are interested not only in the question of which 
functions can be computed, but mainly in the cost of computing these functions. The cost, 
or computational complexity, is measured naturally by the physical resources invested in 
order to solve the problem, such as time, space, energy, etc. A fundamental question in 
computation complexity is how the cost function behaves as a function of the input size, 
n, and in particular whether it is exponential or polynomial in n. In computer science 
problems which can only be solved in exponential cost are regarded intractable, and any of 
the readers who has ever tried to perform an exponentially slow simulation will appreciate 
this characterization. The class of tractable problems constitutes of those problems which 
have polynomial solutions. 

It is worthwhile to reconsider what it means to solve a problem. One of the most 



important conceptual breakthroughs in modern mathematics was the understanding! 164 1 
that sometimes it is advantageous to relax the requirements that a solution be always 
correct, and allow some (negligible ) probability for an error. This gave rise to much more 
rapid solutions to different problems, which make use of random coin flips, such as the 
Miller- Rabin randomized algorithm to test whether an integer is prime or not|7^]. Here is 
a simple example of the advantage of probabilistic algorithms: 

we have access to a database of N bits, and we are told that they are either 
all equal, ("constant") or half are and half are 1 ("balanced"). We are asked 
to distinguish between the two cases. 

A deterministic algorithm will have to observe N/2 + 1 bits in order to always give a 
correct answer. To solve this problem probabilistically, toss a random i between 1 to N, 
observe the i'th bit, and repeat this experiment k times. If two different bits are found, 
the answer is "balanced" , and if all bits are equal, the answer is "constant" . Of course, 
there is a chance that we are wrong when declaring "constant", but this chance can be 
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made arbitrarily small. The probability for an error equals the chance of tossing a fair 
coin k times and getting always 0, and it decreases exponentially with k. For example, in 
order for the error probability to be less than 10"^*^, k = 100 suffices. In general, for any 
desired confidence, a constant k will do. This is a very helpful shortcut if is very large. 
Hence, if we allow negligible probability of error, we can do much better! 

The class of tractable problems is now considered as those problems solvable with a 
negligible probability for error in polynomial time. These solutions will be computed by a 
probabilistic Turing machine, which is defined exactly as a deterministic Turing machine, 
except that the transition function can change the configuration in one of several possible 
ways, randomly. The modern Church thesis refines the Church thesis and asserts that the 
probabilistic Turing machine captures the entire concept of computational complexity: 

The modern Church thesis: A probabilistic Turing machine can simulate 
any reasonable physical device in polynomial cost. 



It is worthwhile considering a few models which might seem to contradict this thesis 
at first sight. One such model is the DNA computer which enables a solution of NP- 
complete problems (these are hard problems to be defined later) in polynomial timeQ, 140 1. 
However, the cost of the solution is exponential because the number of molecules in the 
system grows exponentially with the size of the computation. Vergis et al|194] suggested 
a machine which seems to be able to solve instantaneously an A^P-complete problem 
using a construction of rods and balls, which is designed such that the structure moves 
according to the solution to the problem. A careful consideration p78[] reveals that though 



we tend to think of rigid rods as transferring the motion instantaneously, there will be 
a time delay in the rods, which will accumulate and cause an exponential overall delay. 
Shamir |1 70(1 showed how to factorize an integer in polynomial time and space, but using 
another physical resource exponentially, namely precision. In fact, J. Simon showed that 
extremely hard problems (The class of problems called Polynomial space, which are harder 
than NP problems) can be solved with polynomial cost in time and space but with 
exponential precision. Hence all these suggestions for computational models do not provide 
counterexamples for the modern Church thesis, since they require exponential physical 
resources. However, note that all the suggestions mentioned above rely on classical physics. 



In the early 80's Benioff|27, 28| and Feynmanp4| started to discuss the question of 
whether computation can be done in the scale of quantum physics. In classical computers, 
the elementary information unit is a bit, i.e. a value which is either or 1. The quantum 
analog of a bit would be a two state particle, called a quantum bit or a qubit. A two 
state quantum system is described by a unit vector in the Hilbert space C^, where C are 
the complex numbers. One of the two states will be denoted by |0), and corresponds to 
the vector (1,0). The other state, which is orthogonal to the first one, will be denoted 
by |1) = (0, 1). These two states constitute an orthogonal basis to the Hilbert space. To 
build a computer, we need to compose a large number of these two state particles. When 
n such qubits are composed to one system, their Hilbert space is the tensor product of 
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n spaces: (8) • • • (8> C^. To understand this space better, it is best to think of it 
as the space spanned by its basis. As the natural basis for this space, we take the basis 
consisting of 2"" vectors, which is sometimes called the computational basis: 



|0) |0) ® • • • |0) (1) 
|0) |0) ••• |1) 

Naturally classical strings of bits will correspond to quantum states: 

hk-'-in < — > In) N2) 8) • • • 8) \in) = \k----in) (2) 

How can one perform computation using qubits? Suppose, e.g., that we want to 
compute the function / : iii2-..in 1 — > f{ii, ■■■■in), from n bits to n bits. We would like the 
system to evolve according to the time evolution operator U: 

|ilZ2... in) I — > ?7|iii2...in) = \ f{h, ••••in))- (3) 



We therefore have to find the Hamiltonian 7i which generates this evolution according to 



Schrodinger's equation: z^^|^'(t)) = 7i\'i/{t)). This means that we have to solve for 7i 



given the desired U: 

\^f)=e^p(^-^Jndty^o) = U\^o) (4) 

A solution for TC always exists, as long as the linear operator U is unitary. It is im- 
portant to pay attention to the unitarity restriction. Note that the quantum analog of a 
classical operation will be unitary only if / is one-to-one, or reversible. Hence, reversible 
classical function can be implemented by a physical Hamiltonian. Researchers investi- 
gated the question of reversible classical functions in connection with completely different 
problems, e.g. the problem of whether computation can be done without generating heat 
(which is inevitable in irreversible operations) and as a solution to the "maxwell demon" 
paradox |136| , 121]. It turns out that any classical function can be represented as 



121 

a reversible function|13?, 29] on a few more bits, and the computation of / can be made 
reversible without losing much in efficiency. Moreover, if / can be computed classically by 
polynomially many elementary reversible steps, the corresponding U is also decomposable 
into a sequence of polynomially many elementary unitary operations. We see that quan- 
tum systems can imitate all computations which can be done by classical systems, and do 
not lose much in efficiency. 

Quantum computation is interesting not because it can imitate classical computation. 



but because it can probably do much more. In a seminal paper ]93], Feynman pointed 
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out the fact that quantum systems of n particles seem exponentially hard to simulate 
by classical devices. In other words, quantum systems do not seem to obey the modern 
Church thesis, i.e. they do not seem to be polynomially equivalent to classical systems! If 
quantum systems are hard to simulate, then quantum systems, harnessed as computational 
devices, might be dramatically more powerful than other computational devices. 

Where can the "quantumness" of the particles be used? When I described how quan- 
tum systems imitate classical computation, the quantum particles were either in the state 
|0) or However, quantum theory asserts that a quantum system, like Schrodinger's cat, 
need not be in one of the basis states |0) and but can also be in a linear superposition 
of those. Such a superposition can be written as: 

co|0)+ci|l) (5) 

where cq, ci are complex numbers and |cop-|-|cip = 1. The wave function, or superposition, 
of n such quantum bits, can be in a superposition of all of the 2" possible basis states! 



Consider for example the following state of 3 particles, known as the GHZ state |108| : 



-^(1000) + 1111)) (6) 

What is the superposition describing the first qubit? The answer is that there is no such 
superposition. Each one of the 3 qubits does not have a state of its own; the state of the 
system is not a tensor product of the states of each particle, but is some superposition 
which describes quantum correlations between these particles. Such particles are said to be 
quantumly entangled. The Einstein Podolski Rosen paradox] 89 1, and Bell inequalities [25, 
26, 65 , |l08f| , correspond to this puzzling quantum feature by which a quantum particle does 
not have a state of its own. Because of the entanglement or quantum correlations between 
the n quantum particles, the state of the system cannot be specified by simply describing 
the state of each of the n particles. Instead, the state of n quantum bits is a complicated 
superposition of all 2" basis states, so 2" complex coefficients are needed in order to 
describe it. This exponentiality of the Hilbert space is a crucial ingredient in quantum 
computation. To gain more understanding of the advantages of the exponentiality of the 
space, consider the following superposition of n quantum bits. 

1 1 

\ii,i2,...,in) (7) 



^ ii,i2,---,in=0 

This is a uniform superposition of all possible basis states of n qubits. If we now apply the 
unitary operation which computes /, from equation ^, to this state, we will get, simply 
from linearity of quantum mechanics: 

1 ^ 1 ^ 

\ii,i2,...,in) I — > ^= \f{ii,i2,-.,in)). (8) 



'2" ^ 

11,12, ■■■,in = V il,i2,---,«n = 



6 



Applying U once computes / simultaneously on all the 2" possible inputs i, which is an 
enormous power of parallelism! 

It is tempting to think that exponential parallelism immediately implies exponential 
computational power, but this is not the case. In fact, classical computations can be 
viewed as having exponential parallelism as well- we will devote much attention to this 
later on. The problem lies in the question of how to extract the exponential information 
out of the system. In quantum computation, in order to extract quantum information one 
has to observe the system. The measurement process causes the famous collapse of the 
wave function. In a nutshell, this means that after the measurement the state is projected 
to only one of the exponentially many possible states, so that the exponential amount of 
information which has been computed is completely lost! In order to gain advantage of 
exponential parallelism, one needs to combine it with another quantum feature, known 
as interference. Interference allows the exponentially many computations done in parallel 
to cancel each other, just like destructive interference of waves or light. The goal is to 
arrange the cancelation such that only the computations which we are interested in remain, 
and all the rest cancel out. The combination of exponential parallelism and interference 
is what makes quantum computation powerful, and plays an important role in quantum 
algorithms. 

A quantum algorithm is a sequence of elementary unitary steps, which manipulate the 
initial quantum state \i) (for an input i) such that a measurement of the final state of the 
system yields the correct output. The first quantum algorithm which combines interfer- 
ence and exponentiality to solve a problem faster than classical computers, was discovered 
by Deutsch and Jozsa|80|. This algorithm addresses the problem we have encountered 
before in connection with probabilistic algorithms: Distinguish between "constant" and 
"balanced" databases. The quantum algorithm solves this problem exactly, in polynomial 
cost. As we have seen, classical computers cannot do this, and must release the restriction 
of exactness. Deutsch and Jozsa made use of the most powerful tool in quantum algo- 
rithms, the Fourier transform, which indeed manifests interference and exponentiality. 
Simon's algorithm [|177[| uses similar techniques, and was the seed for the most important 
quantum algorithm known today: Shor's algorithm. 

Shor's algorithm (1994) is a polynomial quantum algorithm for factoring integers, and 
for finding the logarithm over a finite field |172| ]. For both problems, the best known 
classical algorithms are exponential. However, there is no proof that classical efficient 
algorithms do not exist. Shor's result is regarded as extremely important both theoretically 
and practically, mainly due to the fact that the assumption that factorization is hard lies 
in the heart of the RSA cryptographic system |166, |7^. A cryptosystem is supposed 
to be a secure way to transform information such that an eavesdropper will not be able 
to learn in reasonable time significant information about the message sent. The RSA 
cryptosystem is used very heavily: The CIA uses it, the security embedded into Netscape 
and the Explorer Web browsers is based on RSA, banks use RSA for internal security as 
well as securing external connections. However, RSA can be cracked by any one who has 
an efficient algorithm for factoring. It is therefore understandable why the publication of 
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the factorization algorithm caused a rush of excitement ah over the world. 

It is important that the quantum computation power does not rely on unreasonable pre- 
cision but a polynomial amount of precision in the computational elements is enough 1 38 1. 
This means that the new model requires physically reasonable resources, in terms of time, 
space, and precision, but yet it is (possibly) exponentially stronger than the ordinary model 
of probabilistic Turing machine. As such, it is the only model which really threatens the 
modern Church thesis. 

There are a few major developing directions of research in the area of quantum compu- 
tation. In 1995 Grover| 110 | discovered an algorithm which searches an unsorted database 
of items and finds a specific item in ^/N time steps. This result is surprising, because 
intuitively, one cannot search the database without going through all the items. Grover's 
solution is quadratically better than any possible classical algorithms, and was followed 



by numerous extensions and applications! 44, 111 , 112 , 87, 47, 45], all achieving polyno- 



mial advantage over classical algorithms. A promising new branch in quantum complexity 
theory is the study of a class of problems which is the quantum analog of the complexity 
class NP[126|. Another interesting direction in quantum computation is concerned with 
quantum computers simulating efficiently other physical systems such as many body Fermi 
systems |0|, |l], |9|, |4|]. This direction pursues the original suggestion by Feynman|p3[, 
who noticed that quantum systems are hard to simulate by classical devices. An impor- 
tant direction of investigation is the search for a different, perhaps stronger, quantum 
computation model. For example, consider the introduction of slight non-linearities into 
quantum mechanics. This is completely hypothetical, as all experiments verify the lin- 
earity of quantum mechanics. However, such slight non linearities would imply extremely 
strong quantum algorithms 1^]. A very interesting quantum computation model which 
is based on anyons, and uses non-local features of quantum mechanics, was suggested by 
Kitaev[125|. A possibly much stronger model, based on quantum field theory, was sketched 
recently by Freedman, but it has not been rigorously defined yet p7[| . One other direction 
is oracle results in quantum complexity. This direction compares quantum complexity 
power and classical complexity power when the two models are allowed to have access to 
an oracle, i.e. a black box which can compute a certain (possibly difficult) function in one 
step |38, |3^, In fact, the result of Bernstein and VaziranijS^] from 1993 demon- 

strating a superpolynomial gap between quantum and classical computational comlexity 
with an access to a certain oracle initialized the sequence of results leading to the Shor's 
algorithm. An important recent result [^] in quantum complexity shows that quantum 
computers have no more than polynomial advantage in terms of number of accesses to 
the inputs. As of now, we are very far from understanding the computational power of 
quantum systems. In particular, it is not known whether quantum systems can efficiently 
solve NP complete problems or not. 

Quantum information theory, a subject which is intermingled with quantum compu- 
tation, provides a bunch of quantum magic tricks, which might be used to construct more 
powerful quantum algorithms. Probably the first "quantum pearl" that one encounters in 
quantum mechanics is the Einstein Podolsky Rosen paradox, which, as is best explained 
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by Bell's inequalities, establishes the existence of correlations between quantum parti- 
cles, which are stronger than any classical model can explain. Another "quantum pearl" 
which builds on quantum entanglement, is teleportationp^] . This is an amazing quan- 
tum recipe which enables two parties (Alice and Bob) which are far apart, to transfer 
an unknown quantum state of a particle in Alice's hands onto a particle in Bob's hand, 
without sending the actual particle. This can be done if Alice and Bob share a pair of 
particles which interacted in the past and therefore are quantumly entangled. Such quan- 
tum effects already serve as ingredients in different computation and communication tasks. 
Entanglement can be used, for example, in order to gain advantage in communication. If 
two parties, Alice and Bob, want to communicate, they can save bits of communication 
if they share entangled pairs of qubitsU, m, |7|, 0]. Teleportation can be viewed as a 
quantum computation |4£], and beautiful connections were drawn[^ between teleporta- 
tion and quantum algorithms which are used to correct quantum noise. All these are uses 
of quantum effects in quantum computation. However, I believe that the full potential of 
quantum mechanics in the context of complexity and algorithmic problems is yet to be 
revealed. 

Despite the impressive progress in quantum computation, a menacing question still re- 
mained. Quantum information is extremely fragile, due to inevitable interactions between 
the system and its environment. These interactions cause the system to lose part of its 
quantum nature, a process called decoherence\184, 205]. In addition, quantum elementary 
operations (called gates) will inevitably suffer from inaccuracies. Will physical realizations 
of the model of quantum computation still be as powerful as the ideal model? In classi- 
cal computation, it was already shown by von-Neumann p!53[ how to compute when the 
elements of the computation are faulty, using redundant information. Indeed, nowadays 
error corrections are seldom used in computers because of extremely high reliability of 
the elements, but quantum elements are much more fragile, and it is almost certain that 
quantum error corrections will be necessary in future quantum computers. It was shown 
that if the errors are not corrected during quantum computation, they soon accumulate 
and ruin the entire computation! 57, |5^, 0, |149(| . Hence, a method to correct the effect 
of quantum noise is necessary. Physicists were pessimistic about the question of whether 
such a correction method exists] 135, 189 1. The reason is that quantum information in 



general cannot be cloned p3|, |200| , pO[ , and so the information cannot be simply protected 
by redundancy, as is done classically. Another problem is that in contrast to the dis- 
creteness of digital computers, a quantum system can be in a superposition of eigenstates 
with continuous coefficients. Since the range of allowed coefficients is continuous, it seems 
impossible to distinguish between bona fide information and information which has been 
contaminated. 

As opposed to the physical intuition, it turns out that clever techniques enable quantum 
information to be protected. The conceptual breakthrough in quantum error corrections 
was the understanding that quantum errors, which are continuous, can be viewed as a dis- 
crete process in which one out of four quantum operations occurs. Moreover, these errors 
can be viewed as classical errors, called bit flips, and quantum errors, called phase flips. 
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Bit flip errors can be corrected using classical error correction techniques. Fortunately, 
phase flips transform to bit flips, using the familiar Fourier transform. This understanding 
allowed using classical error correction codes techniques in the quantum setting. Shor was 
the first to present a scheme that reduces the affect of noise and inaccuracies, building 
on the discretization of error s [|173|| . As in classical error correcting codes, quantum states 
of k qubits are encoded on states of more qubits. Spreading the state of a few qubits on 
more qubits, allows correction of the information, if part of it has been contaminated. 
These ideas were extended [53, 180] to show that a quantum state of k qubits can be 
encoded on n qubits, such that if the n qubits are sent through a noisy channel, the 
original state of the k qubits can be recovered, k/n tends asymptotically to a constant 
transmission rate which is non zero. This is analogous to Shannon's result from noisy 
classical communication] 171]. Many different examples of quantum error correcting codes 
followedpl], p^ , m, |131|, |165|,|T38|], and a group theoretical framework for most quantum 



codes was established Jp3, 54, 106 



Resilient quantum computation is more complicated than simply protecting quantum 
information which is sent through a noisy quantum channel. Naturally, to protect the 
information we would compute on encoded states. There are two problems with noisy 
computation on encoded states. The first is that the error correction is done with faulty 
gates, which cause errors themselves |19|]. We should be careful that the error correction 
does not cause more harm than it helps. The second problem is that when computing on 
encoded states, qubits interact with each other through the gates, and this way errors can 
propagate through the gates, from one qubit to another. The error can spread in this way 
to the entire set of qubits very quickly. In order to deal with these problems, the idea is to 
perform computation and error correction in a distributed manner, such that each qubit 
can effect only a small number of other qubits. Kitaev]124] showed how to perform the 
computation of error correction with faulty gates. Shor discovered] 174] how to perform a 
general computation in the presence of noise, under the unphysical assumption that the 
noise decreases (slowly) with the size of the computation. A more physically reasonable 
assumption would be that the devices used in the laboratory have a constant amount of 
noise, independent of the size of the computation. To achieve fault tolerance against such 
noise, we apply a concatenation of Shor's scheme. We encode the state once, and then 
encode the encoded state, and so on for for several levels. This technique enabled the 



proof of the threshold theorem\ 127 , 128 , |107| , |125| , 162 ], which asserts that it is possible 
to perform resilient quantum computation for as long as we wish, if the noise is smaller 
than a certain threshold. Decoherence and imprecision are therefore no longer considered 
insurmountable obstacles to realizing a quantum computation. 

In accord with these theoretical optimistic results, attempts at implementations of 
quantum circuits are now being carried out all over the world. Unfortunately, the progress 
in this direction is much slower than the impressive pace in which theoretical quantum 
computation has progressed. The reason is that handling quantum systems experimen- 
tally is extremely difficult. Entanglement is a necessary ingredient in quantum computers. 



but experimentally, it is a fragile property which is difficult to create and preserve] 65 



10 



So far, entangled pairs of photons were created successfully[133, 185], and entanglement 
features such as violation of Bell inequalities were demonstrated [10, 11]. Even entan- 
gled pairs of atoms were created ]114| ]. However quantum computation is advantageous 
only when macroscopically many particles are entangled ]1118| , |6|, a task which seems im- 
possible as of now. Promising experimental developments come from the closely related 

Quantum communication was successfully 

14~ 



subject of quantum cryptography ]|50|, |34| , |46]. 

Bouwmeester et. al. have recently reported on experimental realization 
of quantum teleportation[B3] . Suggestions for implementations of quantum computa- 

5|,lTl7|, M |14|, In^, WM, WM, |18|] include quantum dots, cold 



tion |63|, |74|, |10^, |14 

trapped ions and nuclear magnetic resonance, and some of these suggestions were al- 
ready implemented |15[1| , 187, 147, 104, 75]. Unfortunately, these implementations were 



so far limited to three qubits. With three qubits it is possible to perform partial error 
correction, and successful implementation of error correction of phases using NMR was 
reported]]?^, ^]. Using nuclear magnetic resonance techniques, a quantum algorithm was 
implemented which achieves proven advantage over classical algorithms]^]. It should be 
noted, however, that all these suggestions for implementation suffer from severe problems. 
In nuclear magnetic resonance the signal-to-noise ratio decays exponentially with the num- 
ber of qubits[195], though a theoretical solution to this problem was given recently] 168 ]. 
Other implementations do not allow parallel operations, which are necessary for error 
resilience]^]. In all the above systems controlling thousands of qubits seems hopeless at 
present. Never the less, the experimental successes encourage our hope that the ambitious 
task of realizing quantum computation might be possible. 

The exciting developments in quantum computation give rise to deep new open ques- 
tions in both the fields of computer science and physics. In particular, computational 
complexity questions shed new light on old questions in fundamental quantum physics 
such as the transition from quantum to classical physics, and the measurement process. I 
shall discuss these interesting topics at the end of the paper. 

We will start with a survey of the important concepts connected to computation, in 
section 2. The model of quantum computation is defined in section 3. Section 4 discusses 
elementary quantum operations. Section 5 describes basic quantum algorithms by Deutsch 
and Jozsa's and by Simon. Shor's factorization algorithm is presented in section 6, while 
Fourier transforms are discussed separately in section 7, together with an alternative 
factorization algorithm by Kitaev. Grover's database search and variants are explained 
in section 8. Section 9 discusses the origins for the power of quantum computation, while 
section 10 discusses weaknesses of quantum computers. Sections 11, 12 and 13 are devoted 
to noise, error correction and fault tolerant computation. In Section 14 I conclude with a 
few remarks of a philosophical flavor. 
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2 What is a Computer? 



Let us discuss now the basic notions of computational complexity theory: Turing machines, 
Boolean circuits, computability and computational complexity. The important complexity 
classes P and NP are also defined in this section. For more background, consult |7^, 157|. 
We begin with the definition of a Turing machine: 

Definition 1 A Turing machine (TM) is a triplet M = {T,,K,6). 

1. T, = {U,0, 1,...} is a finite set of symbols which we call the alphabet. U is a special 
symbol called the blank symbol. 

2. K is a finite set of "machine states", with two special states: s & K the initial state 
and h £ K the final state. 

3. A transition function 6 : K x i — > i^xSxj — 1,0, 1} 

The machine works as follows: the tape has a head which can read and write on the 
tape during the computation. The tape is thus used as working space, or memory. The 
computation starts with an input of n symbols written in positions [1, ...n] on the tape, 
all symbols except these n symbols are blank (U), the head is initially at position 1, and 
the state is initially s. Each time step, the machine evolves according to the transition 
function 6 in the following way. If the current state of the machine is q and the symbol 
in the current place of the tape is a, and S{q,a) = {q',a',e), then the machine state is 
changed to q', the symbol under the head is replaced by a' and the tape head moves one 
step in direction e. (if e = the head doesn't move). Here is a schematic description of a 
Turing machine: 



UOlO uuuuuuu 



Note that the operation of the Turing machine is local: It depends only on the current 
state of the machine and the symbol written in the current position of the tape. Thus 
the operation of the machine is a sequence of elementary steps which require a constant 
amount of effort. If the machine gets to "final state", h, we say that the machine has 
"halted". What is written at that time on the tape should contain the output. (Typically, 
the output will be given in the form "yes" or "no".) One can easily construct examples in 
which the machine never halts on a given input, for example by entering into an infinite 
loop. 

According to the definition above, there are many possible Turing machines, each 
designed to compute a specific task, according to the transition function. However, there 
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exists one Turing machine, U which when presented with an input, it interprets this input 
as a description of another Turing machine, M, concatenated with the description of the 
input to M, call it x. U will simulate efficiently the behavior of M when presented with 
the input x, and we write U (M, x) = M{x). This [/ is a called a universal Turing machine. 
More precisely, the description of M should be given with some fixed notation. Without 
loss of generality, all the symbols and states of M can be given numbers from 1 to | A'| + 
The description of M should contain \K\, |S| and the transition function, which will be 
described by a set of rules (which is finite) of the form {{q,a){q' ,a' ,e)). For this, C/'s set 
of symbols will contain the symbols "(" and apart from U,0, 1. U will contain a few 
machine states, such as: "gi: now reading input", "(j'2: looking for an appropriate rule to 
apply" and so on. I will not go through the details, but it is convincing that with such a 
finite set of states, U can simulate the operation of any M on any input x, because the 
entire set of rules of the transition function is written on the tape. 

The existence of a universal Turing machine leads naturally to the deep and beautiful 
subject of non-computability. A function is non-computable if it cannot be computed by 
a Turing machine, i.e. there is no Turing machine which for any given input, halts and 
outputs the correct answer. The most famous example is the HALTING problem. The 
problem is this: Given a description of a Turing machine M and its input x, will M halt 
on 

Theorem 1 There is no Turing machine that solves the HALTING problem on all inputs 
{M,x). 

Proof: The proof of this theorem is conceptually puzzling. It uses the so called 

diagonal argument. Assume that H is a, Turing machine, such that H[M, x) is "yes" if 
M{x) halts and "no" otherwise. Modify H to obtain H, such that 

H{M, M) =" yes" 1 — > H{M) enters an infinite loop. 
H{M, M) =" no" I — > H{M) =" yes". 

The modification is done easily by replacing a few rules in the transition function of 
H. A rule which writes "yes" on the tape and causes H to halt is replaced by a rule that 
takes the machine into an infinite loop. A rule which writes "no" on the tape and causes 
H to halt is replaced by a rule that writes "yes" on the tape and than halts H. This way, 
H \s a, "twisted" version of H. Now, does H{H) halt or not? We obtain a contradiction 
in both ways. Suppose it does halt. This means that H{H, H) =" no" so H{H) does not 
halt! If H{H) does not halt, this means H{H, H) =" yes" so H{H) does halt! I 

This beautiful proof shows that there are functions which cannot be computed. The 
Turing machine is actually used to define which functions are computable and which are 
not. 

It is sometimes more convenient to use another universal model, which is polynomially 
equivalent to Turing machines, called the Boolean circuit model. We will use the quantum 
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analog of this model throughout this review. A Boolean circuit is a directed acyclic graph, 
with nodes which arc associated with Boolean functions. These nodes arc sometimes called 
logical gates. A node with n input wires and m output wires is associated with a function 
/ : {0, 1}" I — > {0, 1}™. Here is a simple example: 



OR 



NOT 



AND 



Given some string of bits as input, the wires carry the values of the bits, until a node is 
reached. The node computes a logical function of the bits (this function can be NOT, OR, 
AND, etc.) The output wires of the node, carry the output bits to the next node, until 
the computation ends at the output wires. The input wires can carry constants which 
do not vary with the different inputs to the circuit, but are part of the hardware of the 
circuit. In a Turing machine the transition function is local, so the operation is a sequence 
of elementary steps. In the circuit model the same requirement translates to the fact that 
the gates are local, i.e. that the number of wires which each node operates on is bounded 
above by a constant. 

To measure the cost of the computation we can use different parameters: S, the number 
of gates in the circuit, or T, the time, or depth of the circuit. In this review, we will mainly 
be considered with S, the number of gates. We will be interested in the behavior of the 
cost, S, as a function of the size of the input, i.e. the number of wires input to the circuit, 
which we will usually denote by n. To find the cost function S{n), we will look at a 
function / as a family of functions computed by a family of circuits {Cn}'^=i, 

each operating on n input bits; S{n) will be the size of the circuit C„. 

I would like to remark here on an important distinction between the model of Turing 
machines and that of circuits. A lot of information can get into the circuit through the 
hardware. If we do not specify how long it takes to design the hardware, such circuits can 
compute even non-computable functions. This can be easily seen by an example. Define 
the circuit C^i to be a very simple circuit, which outputs a constant bit regardless of the n 
input bits. This constant bit will be or 1 according to whether the n'th Turing machine, 
Mn (ordered according to the numerical description of Turing machines) halts on the input 
Mji or not. The family of circuits {Cn}'^=i computes the non-computable HALTING 
problem with all the circuits having only one gate! This unreasonable computational 
power of circuits is due to the fact that we haven't specified who constructs the hardware 
of the circuit. We want to avoid such absurdity and concentrate on interesting and realistic 
cases. We will therefore require that the hardware of the circuits which compute {fn}^=i 
can be designed with polynomial cost by a Turing machine. The Turing machine is given 
as an input the integer n, and outputs the specification of the circuit C„. This model is 
called the "uniform circuit model", as opposed to the "non uniform" one, which is too 
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strong. The models of uniform Boolean circuits and Turing machines are polynomially 

equivalent. This means that given a Turing machine which computes in polynomial time 
f{x), there is a family of polynomial circuits {C„}^q, specified by a polynomial Turing 
machine, such that Cn computes fn- This correspondence is true also in reverse order, 
i.e. given the family of circuits there is a Turing machine that simulates them. Therefore 
the complexity of a computation does not depend (except for polynomial factors) on the 
model used. From now on, we will work only in the uniform circuit model. 

One of the main questions in this review is whether the cost of the computation grows 
like a polynomial in n or an exponential in n. This distinction might seem arbitrary, but 
is better understood in the context of the complexity classes P and A^P. The complexity 
class P is essentially the class of "easy" problems, which can be solved with polynomial 
cost: 

Definition 2 : Complexity class P 

/ = {fn}^=i ^ P if there exists a uniform family of circuits {Cn}^=i of poly (n) size, 
where Cn computes the function fn{x) for all x G {0, 1}". 

The class of Non- deterministic Polynomial time (in short, NP) is a class of much 
harder problems. For a problem to be in NP, we do not require that there exists a 
polynomial algorithm that solves it. We merely require that there exists an algorithm 
which can verify that a solution is correct in polynomial time. Another way to view this 
is that the algorithm is provided with the input for the problem and a hint, but the hint 
may be misleading. The algorithm should solve the problem in polynomial time when the 
hint is good, but it should not be mislead by bad hints. In the formal definition which 
follows, y plays the role of the hint. 

Definition 3 : Complexity class NP 

/ = {fn}^=i € J^P if there exists a uniform family of circuits, {Cn}^=i, of poly (n) size, 
such that 

If x satisfies fn{x) =" yes" i — > there exists a string y o/poly(n) size such that 
Cn{x,y) = 1, 

If x satisfies fn{x) =" no" there is no such y, i.e. for all y's, Cn{x,y) =" no" . 

To understand this formal definition better, let us consider the following example for 
an NP problem which is called satisfiability: 

Input: A formula of n Boolean variables, Xi, of the form 

giXi, ...Xn) = {X, U -X,- U Xk) n(^m U -Xi).... 

which is the logical AND of poly(n) clauses, each clause is the logical OR of 
poly(n) variables or their negation. 

Output: f{g) = 1 if there exists a satisfying assignment of the variables 
Xi, ...Xn so that g{Xi, ...X„) is true. Else, f{g) = 0. 
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To see that satisfiability is in NP, define the circuit C„ to get as input the speci- 
fication of the formula g and a possible assignment The circuit will output 
Cn{g, Xi, ...Xn) = g{Xi, It is easy to see that these circuits satisfy the requirements 
of the definition of NP problems. However, nobody knows how to build a polynomial cir- 
cuit which gets g as an input, and finds whether a satisfying assignment exists. It seems 
impossible to find a satisfying assignment without literally checking all 2" possibilities. 
Hence satisfiability is not known to be in P. 

Satisfiability belongs to a very important subclass of NP, namely the NP complete 
problems. These are the hardest problems in NP, in the sense that if we know how to solve 
an NP-complete problem efficiently, we can solve any problem in NP with only polynomial 
slowdown. In other words, a problem / is A^P-complete if any NP problem can be reduced 
to / in polynomial time. Garey and Johnson|101] give hundreds of examples of NP- 



complete problems, all of which are reducible one to another with polynomial slowdown, 
and therefore they are all equivalently hard. As of now, the best known algorithm for any 
A^P-complete problem is exponential, and the widely believed conjecture is that there is 
no polynomial algorithm, i.e. P ^ NP. Perhaps the most important open question in 
complexity theory today, is proving this conjecture. 

Another interesting class consists of those problems solvable with negligible probability 
for error in polynomial time by a probabilistic Turing machine. This machine is defined 
exactly as deterministic TM, except that the transition function can change the configu- 
ration in one of several possible ways, randomly. Equivalently, we can define randomized 
circuits, which are Boolean circuits with the advantage that apart from the input of n 
bits, they also get as input random bits which they can use as random coin flips. The 
class of problems solvable by uniform polynomial randomized circuits with bounded error 
probability is called BPP (bounded probability polynomial): 

Definition 4 / = {/n}^i G BPP if there exists a family of uniform randomized circuits, 
{Cn}'^=i, ofpoly(n) size such that\/x E {0, l}", probability{Cn{x,y) = fn{x)) > 2/3, where 
the probability is measured with respect to a uniformly random y. 

Until the appearance of quantum computers, the modern Church thesis which asserts that 
a probabilistic Turing machine, or equivalently randomized uniform circuits, can simulate 
any reasonable physical device in polynomial time, held with no counterexamples. The 
quantum model, which I will define in the next chapter, is the only model which seems 
to be qualitatively different from all the others. We can define the quantum complexity 
classes: 

Definition 5 The complexity classes QP and BQP are defined like P and BPP, respec- 
tively, only with quantum circuits. 

It is known that P C QP and BPP C BQP, as we will see very soon. 
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3 The Model of Quantum Computation 



Deutsch was the first to define a rigorous model of quantum computation, first of quantum 



Turing machines |7S] and then of quantum circuits [|79[. I will describe first the model of 
quantum circuits, which is much simpler. At the end of the chapter, I present the model of 
quantum Turing machines, for completeness. For background on basic quantum mechanics 
such as Hilbert spaces, Schrodinger equation and measurements I recommend to consult 
the books by Sakurai[167], and by Cohen-Tanoudji [|7l| . As for more advanced material, the 



book by Peres 1 161] would be a good reference. However, I will give here all the necessary 
definitions. 

A quantum circuit is a system built of two state quantum particles, called qubits. We 
will work with n qubits, the state of which is a unit vector in the complex Hilbert space 

• • • C^. As the natural basis for this space, we take the basis consisting of 2" 
vectors: 

|0) |0) • • • |0) (9) 
|0) |0) ® ••• |1) 



|1)0|1)®---®|1). 

For brevity, we will sometimes omit the tensor product, and denote 

\ii) (8) 1^2) • • • \in) = \k,i2, ■■■,in) = \i) (10) 

where ii,i2, ■■■,in is the binary representation of the integer i, a number between and 
2" — 1. This is an important step, as this representation allows us to use our quantum 
system to encode integers. This is where the quantum system starts being a computer. 
The general state which describes this system is a complex unit vector in the Hilbert space, 
sometimes called the superposition: 

2"-l 

E c^N) (11) 

i=0 

where J2i l^iP = 1- The initial state will correspond to the "input" for the computation. 
Let us agree that for an input string i, the initial state of the system will be \i): 

i> — >\i) (12) 

We will then perform "elementary operations" on the system. These operations will cor- 
respond to the computational steps in the computation, just like logical gates are the 
elementary steps in classical computers. In the meantime we will assume that all the 
operations are performed on an isolated system, so the evolution can always be described 
by a unitary matrix operating on the state of the system. Recall that a unitary matrix 
satisfies UW = I, where U"^ is the transposed complex conjugate of U. 
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Definition 6 A quantum gate on k qubits is a unitary matrix U of dimensions 2^ x 2*^. 



Here is an example of a simple quantum gate, operating on one qubit. 

NOT = 




(13) 



Recalling that in our notation |0) = (1,0) and |1) = (0,1), we have that NOT\0) = |1) 
and N0T\1) = |0). Hence, this gate flips the bit, and thus it is justified to call this gate 
the NOT gate. The NOT gate can operate on superpositions as well. Prom linearity of 
the operation, 

iVOr(co|0)+ci|l)) = co|l) + ci|0). 



This linearity is responsible for the quantum parallelism (see Margolus[148]) which we 
will encounter in all powerful quantum algorithms. When the NOT gate operates on the 
first qubit in a system of n qubits, in the state J2iCi\iii2---in) this state transforms to 
J:^Ci{NOT\il))\i2...^n) = EiCil ~iiii2---in) ■ Formally, the time evolution of the system is 
described by a unitary matrix, which is a tensor product of the gate operating on the first 
qubit and the identity matrix / operating on the rest of the qubits. 

Another important quantum gate is the controlled NOT gate acting on two qubits, 
which computes the classical function: (a, b) i — > (a, a © 6) where a (B b = {a + b) mod 
2 and a,b £ 0,1. This function can be represented by the matrix operating on all 4 
configurations of 2 bits: 



CNOT 



( 1 








\ 





1 

















1 







1 


J 



(14) 



The above matrix, as all matrices in this review, is written in the computational basis 
in lexicographic order. This gate is also called the exclusive or or XOR gate (On its 
importance see [^.) The XOR gate applies a NOT on the second bit, called the target 
bit, conditioned that the first control bit is 1. If a black circle denotes the bit we condition 
upon, we can denote the XOR gate by: 



In the same way, all classical Boolean functions can be transformed to quantum gates. 
The matrix representing a classical gate which computes a reversible function, (in particu- 
lar the number of inputs to the gate equals the number of outputs) is a permutation on all 
the possible classical strings. Such a permutation is easily seen to be unitary. Of course, 
not all functions are reversible, but they can easily be converted to reversible functions. 
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by writing down the input bits instead of erasing them. For a function /,from n bits to 
m bits, we get the reversible function from m + n bits to m + n bits: 



f■■^^ f{i) 
/, :(i,j)^(f,/(i)©j)- 



Applying this method, for example, to the logical AND gate, (a, h) 
become the known Toffoli gate |186| ] (a, 6, c) i- 
unitary matrix on three qubits: 



(15) 



ah it will 



/ 1 



{a,b,c © ab), which is described by the 



V 



1 

1 0/ 



(16) 



The Toffoli gate applies NOT on the last bit, conditioned that the other bits are 1, so we 
can describe it by the following diagram: 



i 

i 


t 






F 






NOT 





Quantum gates can perform more complicated tasks than simply computing classical 
functions. An example of such a quantum gate, which is not a classical gate in disguise, 
is a gate which applies a general rotation on one qubit: 



cos{e) 

— sin(6')e" 



sin(6')e*'?^ 
cos{9) 



(17) 



To perform a quantum computation, we apply a sequence of elementary quantum gates 
on the qubits in our system. Suppose now, that we have applied all the quantum gates in 
our algorithm, and the computation has come to an end. The state which was initially a 
basis state has been rotated to the state |a) G C^". We now want to extract the output 
from this state. This is done by the process of measurement. The notion of measurement 
in quantum mechanics is puzzling. For example, consider a measurement of a qubit in 
the state \a) = co|0) + ci|l). This qubit is neither in the state |0) nor in |1). Yet, the 
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measurement postulate asserts that when the state of this qubit is observed, it must decide 
on one of the two possibilities. This decision is made non-deterministically. The classical 
outcome of the measurement would be with probability |coP and 1 with probability 
|cip. After the measurement, the state of the qubit is either |0) or in consistency with 
the classical outcome of the measurement. Geometrically, this process can be interpreted 
as a projection of the state on one of the two orthogonal subspaces, Sq and 5*1, where 
5*0 = span{|0)} and Si = span{|l)}, and a measurement of the state of the qubit \a) is 
actually an observation in which of the subspaces the state is, in spite of the fact that the 
state might be in neither. The probability that the decision is Sq is the norm squared 
of the projection of \a) on Sq, and likewise for 1. Due to the fact that the norm of |a) 
is one, these probabilities add up to one. After the measurement \a) is projected to the 
space S'o if the answer is 0, and to the space Si if the answer is 1. This projection is the 
famous collapse of the wave function. Now what if we measure a qubit in a system of n 
qubits? Again, we project the state onto one of two subspaces, Sq and ^i, where Sa is the 
subspace spanned by all basis states in which the measured qubit is a. The rule is that 
if the measured superposition is J^iCilh, ■■■in), a measurement of the first qubit will give 
the outcome with probability Prob(O) = X)i2,...in |co,i2,.- inP) the superposition will 
collapse to 

,12, ■■■in 

and likewise with 1. Here is a simple example: Given the state of two qubits: 

_L(|oo) + |oi>-|ii)), 

the probability to measure in the left qubit is 2/3, and the probability to measure 1 
is 1/3. After measuring the left qubit, the state has collapsed to "^(|00) + |01)) with 

probability Pr(0) = 2/3 and to — with probability Pr(l) = 1/3. Thus, the resulting 
state depends on the outcome of the measurement. After the collapse, the projected state 
is renormalized back to 1. 

We can now summarize the definition of the model of quantum circuits. A quantum 
circuit is a directed acyclic graph, where each node in the graph is associated a quantum 
gate. This is exactly the definition from section 2 of classical Boolean circuits, except that 
the gates are quantum. The input for the circuit is a basis state, which evolves in time 
according to the operation of the quantum gate. At the end of the computation we apply 
measurements on the output qubits (The order does not matter). The string of classical 
outcome bits is the classical output of the quantum computation. This output is in general 
probabilistic. This concludes the definition of the model. 

Let us now build a repertoire of quantum computations step by step. We have seen 
that classical gates can be implemented quantumly, by making the computation reversible. 
More explicitly. 
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Lemma 1 Let f be a function from n bits to m bits, computed by a Boolean circuit C of 
size S. There exists a quantum circuit Q which computes the unitary transformation on 
n + m qubits: \0^,i,j) i — > \0^,i,f{i) © j). b and the size of Q are linear in S. 



Proof: Replace each gate in C by its reversible extension, according to equation |15|. We 
will add b extra bits for this purpose. The input for this circuit is thus (0*, i). The modified 
C, denoted by C, can be viewed as a quantum circuit since all its nodes correspond to 
unitary matrices. The function that it computes is still not the required function, because 
the input i is not necessarily part of the output as it should be. To solve this problem, 
we add to C m extra wires, or qubits. The input to these wires is 0. At the end of the 
sequence of gates of C, we copy the m "result" qubits in C on these m blank qubits by 
applying m CNOT gates. We now apply in reverse order the reversed gates of all the gates 
applied so far, except the CNOT gates. This will reverse all operations, and retain the 
input (0'',i), while the m last qubits contain the desired f{i). I 

The state of the system is always a basis state during the computation which is de- 
scribed in the proof. Hence measurements of the final state will yield exactly the expected 
result. This shows that any computation which can be done classically can also be done 
quantumly with the same efficiency, i.e. the same order of number of gates. We have 
shown: 

Theorem 2 P C QP 

In the process of conversion to reversible operations, each gate is replaced by a gate 
operating on more qubits. This means that making circuits reversible costs in adding a 



linear number of extra qubits. In [32|, Bennett used a nice pebbling argument, to show 
that the space cost can be decreased to a logarithmic factor with only a minor cost in time: 
T I — > Tl+^ Thus the above conversion to quantum circuit can be made very efficient. 

To implement classical computation we must also show how to implement probabilistic 
algorithms. For this we need a quantum subroutine that generates a random bit. This is 
done easily by measurements. We define the Hadamard gate which acts on one qubit. It 
is an extremely useful gate in quantum algorithms. 



F= ^f v^l (18) 




Applying this gate on a qubit in the state |0) or |1), we get a superposition: -^(|0) it |1)). 
A measurement of this qubit yields a random bit. Any classical circuit that uses random 
bits can be converted to a quantum circuit by replacing the gates with reversible gates 
and adding the "quantum random bit" subroutine when needed. Note that here we allow 
measuring in the middle of the computation. This shows that: 

Theorem 3 BPP C BQP 
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The repertoire of classical algorithms can therefore be simulated efficiently by quantum 
computers. But quantum systems feature characteristics which are far more interesting. 
We will encounter these possibilities when we discuss quantum algorithms. 

Let me define here also the model of quantum Turing Machine 1 75, 38, |179| (QTM) 



which is the quantum analog of the classical TM. The difference is that all the degrees 
of freedom become quantum: Each cell in the tape, the state of the machine, and the 
reading head of the tape can all be in linear superpositions of their different possible 
classical states. 

Definition 7 A quantum Turing machine is specified by the following items: 

1. A finite alphabet S = {U,0, 1...} where U is the blank symbol. 

2. A finite set K = {qQ,-.-qs} of "machine states", with h,s £ K two special states. 

3. A transition function 6: QxI]xQxI]x { — 1, 0, 1} i — > C 

As in classical TM, the tape is associated a head that reads and writes on that tape. 
A classical configuration, c, of the Turing machine is specified by the head's position, the 
contents of the tape and the machine's state. The Hilbert space of the QTM is defined 
as the vector space, spanned by all possible classical configurations {|c)}. The dimension 
of this space is infinite. The computation starts with the QTM in a basis state |c), which 
corresponds to the following classical configuration: An input of n symbols is written 
in positions on the tape, all symbols except these n symbols are blank (U,) and 

the head is at position 1. Each time step, the machine evolves according to an infinite 
unitary matrix which is defined in the following way. Uc,c', the probability amplitude to 
transform from configuration c to c' is determined by the transition function 5. If in c, 
the state of the machine is q and the symbol in the current place of the tape head is a 
then 6{q,a,q' ,a' ,e) is the probability amplitude to go from c to c', where c' is equal to c 
everywhere except locally. The machine state in c', q, is changed to q', the symbol under 
the head is changed to a' and the tape head moves one step in direction e. Note that the 
operation of the Turing machine is local, i.e. it depends only on the current state of the 
machine and the symbol now read by the tape. Unitarity of infinite matrices is not easy 
to check, and conditions for unitarity were given by Bernstein and Vaziranip^]. 

In my opinion, the QTM model is less appealing than the model of quantum circuits, 
for a few reasons. First, QTMs involve infinite unitary matrices. Second, it seems very 
unlikely that a physical quantum computer, will resemble this model, because the head, 
or the apparatus executing the quantum operations, is most likely to be classical in its 
position and state. Another point is that the QTM model is a sequential model, which 
means that it is able to apply only one operation at each time step. Aharonov and Ben-Or 
showed!^ that a sequential model is fundamentally incapable of operating fault tolerantly 
in the presence of noise. Above all, constructing algorithms is much simpler in the circuit 
model. For these reasons I will restrict this review to quantum circuits. The model of 
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quantum circuits, just like that of classical circuits, has a "uniform" and "non- uniform" 
versions. Again, we will restrict ourselves to the uniform model, i.e. quantum circuits 



which can be designed in polynomial time on a classical Turing Machine. Yao|202| showed 
that uniform quantum circuits are polynomially equivalent to quantum Turing machines, 
by a proof which is surprisingly complicated. This proof enables us the freedom of choosing 
whichever model is more convenient for us. 



Another model worth mentioning in this context is the quantum cellular automaton []14 



|196| , |88| , 77 1 . This model resembles quantum circuits, but is different in the fact that the 
operations are homogeneous, or periodic, in space and in time. The definition of this 
model is subtle and, unlike the case of quantum circuits, it is not trivial to decide whether 



a given quantum cellular automaton obeys the rules of quantum mechanics or not 
Another interesting quantum model is that of a finite state quantum automaton, which 
is similar to a quantum Turing machine except it can only read and not write, so it has 



no memory. It is therefore a very limited model. In this model Watrous|132] showed an 



interesting algorithm which uses interference, and is able to compute a function which 
cannot be computed in the analogous classical model. 

4 Universal Quantum Gates 

What kind of elementary gates can be used in a quantum computation program? We would 
like to write our program using elementary steps: i.e., the algorithm should be a sequence of 
steps, each potentially implementable in the laboratory. It seems that achieving controlled 
interactions between a large number of qubits in one elementary step is extremely difficult. 
Therefore it is reasonable to require an "elementary gate" to operate on a small number 
of qubits, (independent of n which can be very large.) We want our computer to be able 
to compute any function. The set of elementary gates used should thus be universal. For 



classical reversible computation, there exists a single universal gateM, 186|, called the 



Toffoli gate, which we have already encountered. This gate computes the function 

a, 6, c I — > a, b, ab © c. 

The claim is that any reversible function can be represented as a concatenation of the 
Toffoli gate on different inputs. For example, to construct the logical AND gate on a, b, 
we simply input c = 0, and the last bit will contain a6 © = AND{a,b). To implement 
the NOT gate on the third bit we set the first two bits to be equal to 1. We now have 
what is well known to be a universal set of gates. The NOT and AND gates. In the 
quantum case, the notion of universality is slightly more complicated, because operations 
are continuous. We need not require that all operations are achieved exactly, but a very 
good approximation suffices. The notion of approximation is very important in quantum 
computation. Frequently operations are approximated instead of achieved exactly, without 
significantly damaging the correctness of the computation. 

Definition 8 Approximation: 
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A unitary matrix U is said to be approximated to within e by a unitary matrix U' if 
\U -U'\ < e. 

The norm we use is the one induced by the Euchdean norm on vectors in the Hilbert 
space. 

Note that unitary transformations can be thought of as rigid rotations of the Hilbert 
space. This means that angles between vectors are preserved during the computation. The 
result of using U' instead of U, where \ U — U'\ < e, is that the state is tilted by an angle of 
order e from the correct state. However this angle does not grow during the computation, 
because the rotation is rigid. The state always remains within e angle from the correct 
state. Therefore the overall error in the entire computation is additive: it is at most 
the sum of the errors in all the gates. This shows that the accuracy to which the gates 
should be approximated is not very large. If S gates are used in the circuit, it suffices 
to approximate each gate to within O(^), in order that the computation is correct with 
constant probability! 38 1. 



We can now define the notion of universal gates, which approximate any possible 
quantum operation: 

Definition 9 Universal Set of Gates: 

A set of quantum gates, Q, is called universal if for any e and any unitary matrix U 
on any number of bits, U can be approximated to within e > by a sequence of gates from 
Q. In other words, the subgroup generated by Q is dense in the group of unitary operators, 
U (n), for all n. 

Deutsch was the first to show a universal elementary gate, which operates on three 
qubits|7£]. Bernstein and Vazirani|35] gave another proof of universality in terms of QTM. 



It was then shown by DiVincenzo that two-qubit gates are universal [p4|. This is an 
important result, since it seems impossible to control interactions between three particles, 
whereas two particle interactions are likely to be much easier to implement. It was a 
surprising achievement, since in reversible classical computation, which is a special case of 
quantum computation, there is no set of two bit gates which is universal. Note that one 
qubit gate is certainly not enough to construct all operations. Barenco[0]and Deutsch 
ei.aZ|^l|] showed that almost any two-bit gate is universal (See also Lloyd |l4l| , |l43f| ). An 
improvement of DiVincenzo's result was achieved later by Barenco eta/[|l^], where it was 
shown that the classical controlled not gate, together with all one-qubit gates construct a 
universal set as well! In fact, one 1-qubit gate and the controlled not gate will do. This 
is perhaps the simplest and most economic set constructed so far. Implementation of 
one qubit gates are feasible, and experimentalists have already implemented a controlled 
not gate |187]. However, there are other possible sets of gates. Adleman, et. al.^ and 



Solovay |179| suggested a set of gates, where all entries of the matrices are ±| and ib| 
and ±1. Other universal sets of gates were suggested in connection with fault tolerant 
quantum computation [174, ^, |12^ . 
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Why do we need so many possible universal sets to choose from? Universal sets of 
gates are our computer languages. At the lowest level, we need quantum assembly, the 
machine language by which everything will be implemented. For this purpose, we will use 
the set which consists of the easiest gates to implement in the laboratory. Probably, the 
set of one and two qubit gates will be most appropriate. Another incentive is analyzing 
the complexity power of quantum computers. For this the set suggested by Solovay and 
by Adleman et. al. seems more appropriate. (Fortnow recently reported on bounds using 
this set|9^]). We will see that for error correction purposes, we will need a completely 
different universal set of gates. An important question should arise here. If our computer 
is built using one set, how can we design algorithms using another set, and analyze the 
computational power using a third set? The answer is that since they are all universal 
sets, there is a way to translate between all these languages. A gate from one set can 
be approximated by a sequence of gates from another set. It turns out that in all the 
universal sets described here, the approximation to within e of an operation on k qubits 
takes poly(log(i), 2"^) gates from the set. As long as the gates are local (i.e k is constant) 
the translation between different universal sets is efficient. 

Now that the concept of a universal set of gates is understood, I would like to present 
an example of a simple universal set of gates. It relies on the proof of Deutsch's universal 
gate. The idea underlying Deutsch's universal gate is that Reversible computation is 
a special case of quantum computation. It is therefore natural that universal quantum 
computation can be achieved by generalizing universal reversible computation. Deutsch 
showed how to generalize Toffoli's gate so that it becomes a universal gate for quantum 
computation: 



Q 



The NOT matrix in the original Toffoli gate (see equation 16) is replaced by another 
unitary matrix on one qubit, Q, such that Q" can approximate any 2 ® 2 matrix. I will 
present here a modification of Deutsch's proof, using two gates of the above form. Define: 



U 



cos(27ra) sin(27ra) 
— sin(27rQ) cos(27rQ) 



1 




A2iva 



(19) 



We have freedom in choosing a, except we require that the sequence 

a mod 1,2a mod 1,3a mod 1,... hits the e-neighborhood of any number in [0,1], within 
poly(i) steps. Clearly, a should be irrational, but not all irrational numbers satisfy this 
property. It is not very difficult to see that an irrational root of a polynomial of degree 2 
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satisfies the required property. Let U3 (W^) be the generalized ToffoH gate with U {W) 
playing the role of the conditioned matrix, Q, respectively. Then 

Theorem 4 {f/3, is a universal set of quantum gates. 

Proof: First, note that according to the choice of a, f7 approximates any rotation in the 
real plane, and W approximates any rotation in the complex plane. Given an 8 x 8 unitary 
matrix U, let us denote its 8 eigenvectors as lipj) with corresponding eigenvalues e*^^ . U 
is determined by Ultpj) = e^^^ltpj). Define: 

Then U = U7UQ....U0. Uk can be achieved by first taking \ipk) to |111), by a transfor- 
mation which we will denote by R. After R we apply W the correct number of times to 
approximate |111) 1 — > e*^'''|lll) and then we take |111) to by applying the reverse 
transformation of R, R~^. 

It is left to show how to apply R, i.e. how to take a general state = J2i=oCi\i) 
to I 111). For this, note that can approximate the Toffoli gate, and therefore can 
approximate all permutations on basis states. To apply {ip) 1 — > Im)) first turn the 
coefficient on the coordinate |110) to 0. This is done by applying W an appropriate 
number of times so that the phase in the coefficient of |110) will equal that of |111). The 
coefficients now become cq = r^e^'^ , c-j = r^e^'^. Let 6 be such that rg = rsin{6),rj = rcos0. 
Now apply U an appropriate number of times to approximate a rotation by —9. This 
will transform all the weight of |110) to |111). In the same way we transform the weight 
from all coordinates to |111), using permutations between coordinates. This achieves 
\^p) I — > I 111)) i-e. the transformation R. R^^ is constructed in the same way. 

We have shown that all three qubit operations can be approximated. For operations 
on more qubits, note that the group generated by {Um, Wm} is dense in all operations on 
m bits, by the same reasoning. To create Um ( Wm) from U3 ( W3) use recursion: compute 
the logical AND of the first two bits by a Toffoli gate writing it on an extra bit, and then 
apply Um-i ( Wm-i)- The reader can verify that the approximation is polynomially fast, 
i.e. for fixed m, any unitary matrix on m qubits can be approximated to within e by 
Poly{\) applications of the gates C/3 and W3. □ 

The generalized Toffoli gates operate on three qubits. Barenco et. al. [p^] show an 
explicit sequence of two bit gates which constructs any matrix on three qubits, of the form 
of a generalized Toffoli gate: 
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t f 



Q 



V 



Ft 



V 



where V = \fQ. Thus, two bit gates are universal. □ 



It was further shown|l(:] that one-qubit matrix conditioned on one other qubit can be 
expressed as a sequence of one-qubit matrices and CNOTs. So the generaUzed Toffoh 
gate of Deutsch can be written as a finite sequence of one-qubit gates and CNOTs. This 
shows that {One — qubit gates, CNOT} is universal. 

The description above shows how to approximate unitary matrices using poly(i) gates 
from the universal set. In fact, an exponentially faster approximation is possible due to a 
theorem by Kitaev [|122(| , which was also proved by Solovay|17£]: 



Theorem 5 Let the matrices Ui, ...Ur £ SU{n) generate a dense subset in SU{n). Then 
any matrix U G SU{n) can be approximated to within e by a product of poly{log{-)) 



matrices from Ui, ...Ur,U] 



SU{n) is the set of n x n unitary matrices with determinant 1. Given a universal quantum 
set, we can easily convert it to a set in SU{n) by multiplying each matrix with an overall 
complex scalar of absulute value 1, namely a phase. This overall phase does not effect the 
result of any measurement, so any gate can be multiplied by a phase without affecting the 
computation. We thus have: 

Corollary 1 The approximation rate of any universal set of quantum gates is exponential. 

The idea of the proof of the theorem is to construct finer and finer nets of points in 
SU{n). The 2A:'th net is constructed by taking commutators of points from the A;'th net. 
Each point in the k'ih. net is a product of a linear (in k) number of gates from the set 
of gates. It turns out that the distance between two adjacent points in the net decreases 
exponentially with k. | 

Having chosen the set of gates to write algorithms with, actually writing the algorithm 
in this assembler-like language seems like a very tedious task! Just like higher languages 
in ordinary computer programming, it is desirable that quantum operations which are 
commonly used can be treated as black boxes, without rewriting them from the beginning 
with elementary gates. Steps in this direction were made by [|l6|, 24, 155, 193|. 



27 



5 Quantum Algorithms 



The first and simplest quantum algorithm which achieves advantage over classical algo- 



rithms was presented by Deutsch and Jozsa|79|. Deutsch and Jozsa's algorithm addresses 



a problem which we have encountered before, in the context of probabilistic algorithms. 

/ is a Boolean function from {1, N} to {0, 1}. Assume = 2" for some integer 
n. We are promised that f{i) are either all equal to 0, ("constant") or half are 
and half are 1 ("balanced"). We are asked to distinguish between the two 
cases. 

The question is presented in the oracle setting. This means that the circuit does not 
get /(I), ....f{N) as input. Instead, the circuit has access to an oracle for /. A query to 
the oracle is a gate with n input wires carrying an integer i £ {1, ra} in bit representation. 
The output from the oracle gate is /(«). A quantum query to the oracle means applying 
the unitary transformation \i)\j) > — > \i)\j ® fii))- The cost is measured by the number 
of queries to the oracle. A classical algorithm that solves this question exactly will need 
0{N) queries. The quantum algorithm of Deutsch and Jozsa solves the problem exactly, 
with merely one quantum query! The algorithm makes use of a transformation known as 
the discrete Fourier transform over the group Z2 . 

I ForiuerTransform 1 ^^( 1)* "' | ') (2^) 

where i,j are strings of length n, and i • j = J2k=i ^kjk rnod 2, the inner product of i and 
j modulo 2. Meanwhile, we need only one easily verified fact about the Fourier transform 
over Z2 : To apply this transformation on n qubits, we simply apply the Hadamard trans- 



form H from equation 18 on each of the n qubits. Note also that the reversed Fourier 
transform, FT~'^ is equal to the FT. We now turn to solve Deutsch and Jozsa's problem. 
We will work with two registers, one will hold a number between 1 to A^ and therefore 
will consist of n qubits, and the other register will consist of one qubit that will carry the 
value of the function. 
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Deutsch and Jozsa's Algorithm 

10'*) ® |1) 

Apply Fourier transform on first register. 
Apply H on last qubit 

^Ef.iK>^(^|0)-^|i)) 

Call oracle, i — > © f{i)). 

^Ef=i(-iK«N>^(;fe|o)-^|i)) 

Apply reversed Fourier transform on first register 

Measure first register 

If outcome equals 0", output "constant" 
Else, output "balanced" 



To see why this algorithm indeed works, let us denote by |V'c) the vector |^) in the case 
"constant", and IV'b) the vector \ip) in the case "balanced". Note that if f{i) is constant, 
the second Fourier transform merely undoes the first Fourier transform, so IV^c) = lO"")- 
On the other hand, if /(i) is balanced, the vector 
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is orthogonal to 




N 

tween vectors, {tph) is or1 
3ed" case is zero. Hence, 



correct answer with probabihty 1. This algorithm shows the advantage of exact quantum 
complexity over exact classical complexity. However, when the restriction to exact solution 
is released, this advantage is gone. A classical probabilistic machine can solve the problem 
using a constant number of queries - though not by one query! (This was shown in the 
overview) . 

Let me remark that discussing exact solutions is problematic in the context of quantum 
algorithms, because of the continuous characteristics of quantum operators. Almost all 
quantum computations cannot be achieved exactly, when using a finite universal set of 
gates; the set of unitary operations is continuous, while the set of achievable operations 
using a finite universal set of gates is countable. Moreover, the notion of exact quantum 
algorithms is not robust, because the set of problems that have exact solution depend 
very strongly on the universal set of gates. The function AND, for example, cannot be 
computed exactly by Deutsch's universal machine! 

In the next algorithm, due to Simon, the exponential advantage is achieved even with- 
out requiring exact solutions. The problem can be specified as follows: 

Simon's Problem: 

/ is a function from {1,A^} to {1,A^}, where N = 2"^. We are promised that 
one of two cases occurs: 

Either all f{i) are different, i.e. / is "one to one". 



We are asked to distinguish between the two cases. 

Here a classical computer will need order of 0{N) queries, even when an error is 
allowed. Simon's quantum algorithm can solve this question with the expected number 
of queries being 0(log(N)). (In fact. Brassard et.al. improved this result from expected 
0(log(N)) queries to worst case 0(log(N)) queries [^1 .) 

We will work with two registers of n qubits; both will hold an integer between 1 to N . 
The first register will carry numbers in the range of the function. The second register will 
carry the value of the function. 



or 



/ satisfies that 3s, f{i) = f{j) if and only if i = j or z = j © s, i.e / is "two to 



one 
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Simon's Algorithm 

|0") ® |0") 

Apply Fourier transform on first register. 

Call oracle 

^EiIll^>®l/(^)) 
Apply Fourier transform on first register. 

^ELi|A;>®EiIi(-ir'l/(0) 

Measure first register. Let ki be the outcome. 

Repeat the previous steps cn times to get ki, k-2,..., ken- 

Apply Gauss elimination to find a non-trivial solution for s in the set of equations: 

/ci • s = mod 2 
/c2 • -s = mod 2 

ken -5 = mod 2 
If found, output "two to one". If not, declare "one to one". 



Proof of correctness: To see why this algorithm works, let us analyze the probability 
to measure ki = k, in the two cases. In the case of "one to one" , the probability to measure 
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ki = k is independent of k: 



(-1) 



i-k 



2 



Prob(ki = k) = ^ 



1 



(22) 



N 



N 



The above formula is derived by computing the squared norm of the projection of the 
measured vector on |A;) \f{i)) and summing over all possible /(i). If we do the same 
thing in the "two to one" case, the projection on \k) Cg) will consist of two terms: one 
comes from i and the other from i © s, since /(i) = f{i ® s). Hence, in the following sum 
we divide by 2 to correct for the fact that every term is counted twice. In the case "two 
to one" , we derive: 



So we will only measure k which is orthogonal to s. In order to distinguish between 
the cases, we repeat the experiment many times, and observe whether the space spanned 
by the random vectors is the whole space or a subspace. If we perform a large enough 
number of trials, we can be almost sure that in the "one to one" case, the vectors will span 
the whole space. Hence finding a non trivial solution will mean that we are in the "two to 
one" case. A more precise argument follows. Let V be a vector space of dimension n over 
Z2- Let S C V he the subspace spanned by the vectors, ki, ....kt, which were measured 
at the first t trials. If S is not equal to V, a random vector kt+i from V will be in S 
with probability at most ^. Hence, with probability greater than half, the dimension of 
span{S, kt+i} is larger than that of S. By Chernoff's law|]56||, the probability the vectors 
will not span the whole space after cn trials is exponentially small in n. □ 

This algorithm is exponentially more efficient than any randomized classical algorithm! 
This seems like an extremely strong result, but it is very important to notice here that 
the problem is stated in the oracle setting and that the algorithm does not apply for any 
oracle, but only on oracles from a restricted set: either "balanced" or "constant" functions. 
This restriction is called in complexity theory a "promise" to the algorithm: the algorithm 
is "promised" that the oracle is from some restricted subset. We will see later, in section 
10, that without such a "promise", quantum computation and classical computation are 
polynomially equivalent in terms of number of queries to the oracle. This shows that in 
the absence of a promise, i.e. full range input, the quantum advantage is exhibited not in 
the number of accesses to the input, but in the way the information is processed. We will 
see an example for this in the next section, in Shor's factorization algorithm. 

6 Shor's Algorithm for Factoring Integers 

Shor's algorithm is the most important algorithmic result in quantum computation. The 
algorithm builds on ideas that already appear in Deutsch and Jozsa's algorithm and in 
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Simon's algorithm, and like these algorithms, the basic ingredient of the algorithm is the 
Fourier transform. The problem can be stated as follows: 



Input: An integer N 

Output: A non-trivial factor of N, if exists. 

There is no proof that there is no polynomial classical factorization algorithm The 
problem is even not known to be A^P-complete. However, factorization is regarded as 
hard, because many people have tried to solve it efficiently and failed. In 1994, Shor 



published a polynomial (in log(N) ) quantum algorithm for solving this problem [ 172 |. 
This result is regarded as extremely important both theoretically and practically, although 
there is no proof that a classical algorithm does not exist. The reason for the importance 
of this algorithm is mainly the fact that the security of the RSA cryptosystem, which is 
so widely used, is based on the assumed hardness of factoring integers. Before explaining 
the algorithm, I would like to explain here in short how this cryptosystem works. 

A cryptosystem is a secure way to transform information such that an eavesdropper 
will not have any information about the message sent. In the RSA method, the receiver. 
Bob, who will get the message, sends first a public key to Alice. Alice uses this key to 
encode her message, and sends it to Bob. Bob is the only one who can encode the message, 
assuming factoring is hard. 





The RSA cryptosystem 


Alice 


Bob 




N,E P,Q large primes. Set N = PQ. 




< — E coprime with P — 1,Q — 1 


Message M 


M^mod N 




Computes E~^mod{P -1){Q - I), 




Computes {M^)^^\nodN = M 



The key is chosen as follows: Bob chooses two large primes P and Q. He then computes 
= PQ, and also picks an integer co-prime to (P — 1){Q — 1) = (piN), the number of 
co-primes to N smaller than N. Bob sends E and N to the sender, Alice, using a public 
domain (newspaper, phone...) The pair {E,N) is called Bob's public key. Bob keeps 
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secret D = E^^mod{P — 1){Q — 1), which he can compute easily knowing P and Q, using 
the extended Euchd's algorithm [^]. The pair {N,D) is called Bob's secret key. Alice 
computes her message, M, to the power of E, modulo N, and sends this number in a 
public channel to Bob. Note that Alice's computation is easy: taking a number Y to the 
power of X modulo is done by writing X in binary representation: X = xi...Xn- Then 
one can square (Y^^) i times to get (Y^^)'^\ add the results for all i and take the modulus 
over N. Bob decodes Alice's massage using his secret key by computing {M^)^modN . 

Why does Bob get the correct message M? This follows from Fermat's little the- 
orem and the Chinese remainder theorem which together imply |]7^ that for any M, 
j^k(f>{N)+i _ mod N. The security of this cryptosystem rests on the difficulty of 
factoring large numbers. If the eavesdropper has a factorization algorithm, he knows the 
factors P, Q, and he can simply play the role of Bob in the last step of the cryptographic 
protocol. The converse statement, which asserts that in order to crack RSA one must 
have a factoring algorithm, is not proven. However, all known methods to crack RSA can 
be polynomially converted to a factorization algorithm. Since factorization is assumed 
hard, classically, RSA is believed to be a secure cryptosystem to use. In order to use RSA 
securely, one should work with integers that are a few hundreds digits in length, since 
factoring smaller integers is still practical. Integers of up to 130 digits have been factor- 
ized by classical computers in no longer than a few weeks. Due to the fact that the only 
classical factorization algorithm is exponential, factorizing a number of twice the number 
of digits will take an eavesdropper not twice the time, but of the order of million years. If 
Alice and Bob work with numbers of the order of hundreds of digits, they are presumably 
secure against classical eavesdroppers. 

Shor's algorithm provides a quantum efficient way to break the RSA cryptosystem. In 
fact, Shor presented a quantum algorithm not for factoring, but for a different problem: 

Order modulo N: 

Input: An integer N, and Y coprime to N 

Output: The order of Y, i.e. the minimal positive integer r such that y = 
1 mod N. 

The problem of factorization can be polynomially reduced to the problem of finding the 
order modulo A'^, using results from number theory. I will not describe the reduction here; 
an explanation can be found in an excellent review on Shor's algorithm |^0[). Instead, I 
will show a way [[70| to crack RSA given an efficient algorithm to find the order modulo A^: 
Suppose the message sent is . Find the order r of modulo A^, r is also the order of 
M, since E is coprime to {P — 1)(Q — 1) = (j){N). It is easy to find efficiently the inverse 
of E, D' = E~^ modulo r, using Euclid's algorithm. Then simply, (M^)^ = M mod N, 
since = 1 mod N. 

Let me now present Shor's beautiful algorithm for finding the order of Y, for any given 
Y, modulo A^. The description follows |pO[. In short, the idea of the algorithm is to create 
a state with periodicity r, and then apply Fourier transform over Zq, (the additive group 
of integers modulo Q), to reveal this periodicity. The Fourier transform over the group 
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Zq is defined as follows: 



1 



a) 



(24) 



6=0 



The algorithm to compute this Fourier transform will be given in the next section, which 
is devoted entirely to FoTirier transforms. Again wc will work with two registers. The first 
will hold a number between 1 to Q. {Q will be fixed later: it is much larger than N, but 
still polynomial in N.) The second register will carry numbers between 1 to N. Hence 
the two registers will consist of 0(log(N)) qubits 
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Shor's Algorithm 

I ) ® I 0) 

Apply Fourier Transform over Zq on the first register 

^ E?Jo' 10 ^ I 0) 

Call subroutine which computes \l)\d) i — > \l)\d® mod N) 
Measure second register. 

Apply Fourier Transform over Zq on the first register 
Measure first register. Let ki be the outcome. 

Approximate the fraction ^ by a fraction with denominator smaller than N, 

using the (classical) method of continued fractions. 

If the denominator d doesn't satisfy = Imod N, throw it away. 

Else call the denominator ri. 

Repeat all previous steps poly (log (N)) times to get ri, r2,.- 
Output the minimal r. 
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Let us now understand how this algorithm works. In the second step of the algorithm, 
all numbers between and Q— 1 are present in the superposition, with equal weights. In the 
third step of the algorithm, they are separated to sets, each has periodicity r. This is done 
as follows: there are r possible values written on the second register: a G {Y^ , Y^, ....Y'^~^}. 
The third state can thus be written as: 



1 



E + i E \1)®\Y^)) + .:■ + { E \l)®\Y^ = l)) 

=o|y'=y z=o|y'=y2 i=o|y'=y 



Note that the values I that give Y^ = a have periodicity r: If the smallest such I isIq, then 
I = Iq + r,lQ + 2r, .. will also give Y^ = a. Hence each term in the brackets has periodicity 
r. Each set of I's, with periodicity r, is attached to a different state of the second register. 
Before the computation of y', all Vs appeared equally in the superposition. Writing down 
the y' on the second register can be thought of as giving a different "color" to each periodic 
set in [0, Q — 1\. Visually, this can be viewed as follows: 



J : \ : \ : , ^ 

12 ... r r + 1 - 2r 2r + l - Q-l 



The measurement of the second register picks randomly one of these sets, and the state 
collapses to a superposition of I's with periodicity r, with an arbitrary shift Iq. Now, how 
to obtain the periodicity? The first idea that comes to mind is to measure the first register 
twice, in order to get two samples from the same periodic set, and somehow deduce r from 
these samples. However, the probability that the measurement of the second register yields 
the same shift in two runs of the algorithm, i.e. that the same periodic set is chosen twice, 
is exponentially small. How to gain information about the periodicity in the state without 
simply sampling it? This is done by the Fourier transform. To understand the operation 
of the Fourier transform, we use a diagram again: 




1 2 ... r r + 1 - 2r 2r + l - Q-l 
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Each edge in the diagram indicates that there is some probabiHty amphtude to trans- 
form from the bottom basis state to the upper one. We now measure the first register, 
to obtain k. To find the probabihty to measure each k, we need to sum up the weights 
coming from all the j's in the periodic set. 



Prob(k) 



1 



A-l 



,27rik(jr+lo)/Q|2 




27rikr 



/Q)j| 



(25) 



j=0 ^ j=0 

Hence, in order to compute the probability to measure each k, we need to evaluate a 
geometrical series. Alternatively the geometric series is a sum over unit vectors in the 
complex plane. 



Exact periodicity: Let us assume for a second exact periodicity, i.e. that r divides Q 
exactly. Then A = Q/r. In this case, the above geometrical series is equal to zero, unless 
^2mkr/Q _ Thus we measure with probability 1 only k's such that kr = mod Q. This is 
where destructive interference comes to play: only "good" k's, which satisfy kr = mod Q, 
remain, and all the others cancel out. Why are such A;'s "good"? We can write kr = mQ, 
for some integer m, or k/Q = m/r. We know Q, and we know k since we have measured 
it. Therefore we can reduce the fraction k/Q. If m and r are coprime. the denominator 
will be exactly r which we are looking for! By the prime number theorem, there are 
approximately n/log{n) numbers smaller than n and coprime with n, so since m is chosen 
randomly, repeating the experiment a large enough number of times we will with very 
high probability eventually get m coprime to r. 

Imperfect periodicity: In the general case, r does not divide Q, and this means that 
the picture is less clear. "Bad" k's do not completely cancel out. We distinguish between 
two types of k's, for which the geometrical series of vectors in the complex plain looks as 
follows: 
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In the left case, all vectors point in different directions, and they tend to cancel each 
other. This will cause destructive interference, which will cause the amplitude of such k's 
to be small. In the right case, all vectors point almost to the same direction. In this case 
there will be constructive interference of all the vectors. This happens when g^'^^^^/Q ig 
close to one, or when kr mod Q is close to zero. This means that with high probability, we 
will measure only k' s which satisfy an approximate criterion A;r ~ mod Q. In particular, 
consider k^s which satisfy: 

- r/2 < kr mod Q < r/2 (26) 

There are exactly r values of k satisfying this requirement, because k runs from to 
Q — 1, therefore kr runs from to {Q — l)r, and this set of integers contains exactly r 
multiples of Q. Note, that for such A;'s all the complex vectors lie in the upper half of the 
complex plane, so they are instructively interfering. Now the probability to measure such 
a A; is bounded below, by choosing the largest exponent possible: 

~ QA^ l_eWQ ' ~ QA^ sin{§^) ' ^ 

Where the approximation is due to the fact that Q is chosen to be much larger than N > r, 
therefore the sinus in the enumerator is close to 1 with negligible correction of the order 
of r/Q. In the denominator we use the approximation sin(x) ~ x for small x, and the 
correction is again of the order of r/Q. The probability to measure any k which satisfies 
26 is approximately 4/7r'^, since there are r such k's. 

Why are such k's "good"? Given an integer k which satisfies the criterion 26, we can 
find r with reasonably high probability. Note that for "good" k's, there exists an integer 
m such that: 

k m 1 
'q ~ 7' - 2Q' 

Remember that Q is chosen to be much larger than A^, say Q > N"^. This means 
that ^, a fraction with denominator > A^^, can be approximated by ^, a fraction with 
denominator smaller than N , to within There is only one fraction with such a small 
denominator that approximates a fraction so well with such large denominator. Given k/Q, 
the approximating fraction, ^, can be found efficiently, using the method of continued 
fractions: 

1 

a = ao H 1 — , 

where Oj are all integers. Finding this fraction, the denominator will be r! Well, not 
precisely. Again, it might be the case that m and r are not coprime, and the number we 
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find will be the denominator of the reduced fraction of ^. In this case the number will 
fail the test = 1 which is included in Shor's algorithm, and it will be thrown away. 
Fortunately, the probability for m to be coprime to r is large enough: it is greater than 
l/log{r). We repeat the experiment until this happens. 

This concludes Shor's algorithm. In the next chapter we will see an alternative algo- 
rithm by Kitaev for finding the order modulo A^. 



7 Fourier Transforms 

The ability to efficiently apply Fourier transforms over groups with exponentially many 
elements is unique to the quantum world. In fact, Fourier transforms are the only known 
tool in quantum computation which gives exponential advantage. For this reason it is 
worthwhile to devote a whole chapter for Fourier transforms. The Fourier transform is 
defined as follows. Denote the additive group of integers modulo Q by Zq. Let / be a 
function from the group Zq to the complex numbers: 

f:a^ fia) G C (27) 

The Fourier transform of this function is another function from Zq to the complex num- 
bers: 

/ : a ^ /(a) = ^ E e^™^/'^ j(^) ^ c (28) 

The straight forward way to compute the Q Fourier coefficients of the function, /(a) 
Va, will take O(Q^) time. When Q is a factor of 2, there is a way to shorten the trivial 
Fourier transform algorithm using recursion. This is called fast Fourier transform, or in 
short FFT, and it enables to compute the Fourier transform within 0{Qlog{Q)) time 
steps [f7^]. When Q is very large, this still is a very slow operation. 

In the quantum world, a function from the Abelian group G = Zq to the complex 
numbers / : a > — > /(a) can be represented by a superposition |/) = ^2^=0 (Per- 
haps normalized.) The Fourier transform of the function will be |/) = J2a=o Note 
that in the quantum setting, the function on Q elements is represented compactly as a 
superposition on log{Q) qubits. This compact representation allows in some cases to apply 
the transformation |/) i — > \ f) very efficiently, in only 0{log{Q)) time steps. Indeed, mea- 
suring all the Fourier coefficients will still take time which is exponential in \og{Q) simply 
because the number of coefficients is exponential. However, the actual transformation 
from a superposition to its Fourier transform will be very fast. 

In order to apply the Fourier transformation on general states, it suffices to apply the 
following transformation on the basis states: 



^Q,a) = ^Ee^-^'^''/«|6). (29) 
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We will first consider the special case of Q = 2"^, which is simpler than the general case, 



since classical techniques for fast Fourier transforms can be adopted] 172, 51, 72, Q 109] 
I will give here a nice description by Cleve et. al. [7C\. Later I'll describe Kitaev's[123] 
more general quantum Fourier transform, for any Abelian group, which implies a beautiful 
alternative factorization algorithm. 



2™. An integer a G 



{0,1,. ..,2^ 

2-2 



1} is 



Quantum fast Fourier transform. Let Q 

represented in binary representation by \ai...am), so a = ai2^~^ +022^""^ + .... + am-i2^ + 
ttm- Interestingly, the Fourier state in this case is not entangled, and can be written as a 
tensor product: 



1^' 



1 



Q,a) 



1 



:(|0)+e 



27rj0.a„ 



|l))(|0)+e 



2iTi0.a„ 



_ia„ 



|l))...(|0)+e 



27rj0.ai 



Rk 



We will operate the following gate array: 




H 




(31) 



(30) 

We can see this by computing the coefficient of b in this formula. In fact, what mat- 
ters is that the phases in the coefficient of b from both sides of the equality are equal 
(modulo 1). To see this, observe that the phase of \b) in the left term is 2~"^ab = 
2-m J2f^j^i ai2"^~^bj2"^~^ , which can be seen to be equal modulo 1 to O.Om •&! + 0.am-iam • 
&2 + - + O .(ii...o.ni— lO-m ■ b-m which is the phase of \b) in the right term. 

To apply the QFFT, we will need only two gates. The first is the Hadamard gate on 
one qubit. The second gate is a gate on two qubits, which applies a conditioned phase 
shift on one qubit, given that the other qubit is in state |1). Rk denotes the phase shift 
on one qubit by e^'^*/^*'. 



102) 



-R. 




Rm-l 


Rm 



|o^m— 1) ■ 
I Q-m) 



(H) 



Rm-iiRm-l 



|0) + exp(27ri0. 010203. ..am_iam) 
|0) + exp(27ri0.O2a3...Om_iOm,)|l 



|0) + exp(27ri0.Om-iam)|l) 

g)— |0) +exp(27ri0.o^)|l) 



We claim that this gate array implements the FT, except that the output is in reverse 
order of bits. To prove this, we show that each bit gains the phase it is supposed to gain. 
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according to equation 



30 



The first H on the first bit oi produces the state on m qubits: 



+ e2-(0-'^^)|l))|a2...a^) 
and the next R2 makes it 

(|0) + e2-(o-^-2)|l))|a2...a^), 
and so on until the first qubit is in the correct state (of the last bit in equation ^) : 

{\0) + e'^^'^°■'''^^■■■^"^^\l))\a2...am)■ 
ln the same way the phases of the rest of the qubits are fixed, one by one. We now simply 
reverse the order of the bits to obtain the correct FT. 

Note that the number of gates is m{m — l)/2 which is 0{log^{Q)). In fact, many of 
these gates can be omitted, because can be exponentially close to one. omitting such 
gates we still obtain a very good approximation of the Fourier transform [ 72 1. 



Kitaev's algorithm: Kitaev's algorithm |123| ] shows how to approximate efficiently the 
FT over the cyclic group Zq for any Q (a cyclic group is a group that is generated by 



one element). The generalization to any Abelian group is simple[123], but will not be 
described here. The sequence of operation is the following: 



Fourier Transform a la Kitaev 

|a)®|0) =^ \a)(E)\^Qfl) =^ \a)(E)\^Q,a) =^ \^)(^\^Q,a) =^ \^Q,a)®\Q) 



The most important and difficult step in this algorithm is the third step. Let us understand 
how to perform each of the other steps first: 

1. |0) I — > |^Q,o) is actually a classical operation. We pick an integer between 1 and 
Q uniformly at random using a recursive procedure. Let 2"~^ < Q < 2". Denote 
Qo = 2'^-^ and Qi = Q - Qq- Apply the one qubit gate |0) 1 — > \f%-\0) + 



Q 

Now, conditioned on the first bit x, create on the last n — 1 bits, the state |^I'Q^,o) 
recursively. 

2. \a) (g) \^o) =^ \a) (g) \^a) is achieved by applying \a,b) 1 — > e^™''/'3|a, 6). 

3. The third operation is, perhaps surprisingly, the most difficult part in the FT, and 
I will sketch the idea next. 

4. The last operation is merely swapping the bits. 
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To apply the third step, we note that the vectors |^'Q,a) are eigenvectors of the uni- 
tary operation U : \g"^) i — > \g"^^^), where g is the generator of the cyclic group, with 
eigenvalues e~^'^*"/'3 The operation \a) \ ^Q,a) =^ |0) tX" \ ^Q,a) is actually the reverse 
of computing the eigenvalue of an eigenvector. We need to be able to write down the 
eigenvalues of a given unitary matrix. Kitaev has proved the following lemma: 

Lemma 2 (Kitaev) Let U be a unitary matrix on n qubits such that U, U"^, U'^...U'^" can 
be applied efficiently. Let |^^) be U's eigenvectors with corresponding eigenvalues e*^. 
Then the transformation \^e) ® |0) l^'^t) ® \9) can be approximated to exponential 

accuracy, efficiently. 

Proof: The idea that lies behind this theorem is interference. The eigenvalues are 
phases, and in order to gain information about a phase wc need to compare it with some 
reference phase, just like what happens in an interferometer. The implementation of this 
idea in the setting of qubits is done by adding a control qubit. We proceed as follows. 
We apply the Hadamard transform H on the control qubit, which separates the state to 
two paths, one in which the control qubit is in state |1) and the other in which it is |0). 
Now U is applied on \^q), conditioned that the control qubit is 1. This adds a phase e*^ 
on one of the paths, which can be compared to the reference path. Finally, the controlled 
qubit is rotated again by a Hadamard transform. The following diagram captures the idea 
schematically: 




The control qubit is now in a state 1/3) = (^|0) + which is a qubit biased 

according to the eigenvalue. If we measure this qubit, it behaves like a coin flip with bias 
p=\l- e^^|2/4 = i^f^. 

The idea is to create many control qubits, and measure all of them. This is like 
performing many independent coin tosses. We can deduce 9 from the ratio between the 
number of times we got 1 and the number of times we got 0. For this, we will apply a 
classical algorithm on the outcomes of the measurements. However, there arc two problems 
with this idea. One is that the outcome of the algorithm will be classical, while we want 
to create a unitary transformation which writes down the eigenvalues and can be applied 
on superpositions. We will deal with this problem later. A more severe problem is that 
the algorithm should find 9 with exponential accuracy (polynomially many bits), since 
there are exponentially many eigenvalues. To achieve exponential accuracy in 9 we need 
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exponentially many coin tosses; By Chernoff's inequality 1 73], exponentially many coin 
tosses are required in order to achieve exponential accuracy in 6. Since we are limited to 
polynomial algorithms, we can only deduce 9 with polynomial accuracy. The solution to 
this problem takes advantage of the fact that the powers of U can be applied efficiently. 
To deduce to higher accuracy, we slightly modify the interference scheme: instead of U, 
we apply C/^. This will generate another set of biased qubits, from which we can deduce 
26 with polynomial accuracy. The same thing can be done using U^, C/^", and this will 
generate n sets of m = poly{n) biased qubits. From the outcomes of the measurements of 
the j'th set, we compute 2W with polynomial accuracy. It is easy to construct a polynomial 
classical algorithm that computes 9 with exponential precision (which is what we need) 
from the polynomial approximations of 6,29,49,... 2^6. 

It is left to show how the above computation can be made unitary. The idea is that it 
is not necessary to measure each set of qubits, in order to count the number of I's. Instead 
of measuring these bits, we will apply a unitary transformation that counts the portion of 
I's out of m and writes this portion down on a counting register. If we denote by w^i) the 
number of I's in a string i, or the weight of the string, then this transformation will be: 

\i)\0) > — > \i)\w{i)/m). (32) 

The resulting state will look something like: 



I*) ® J2 VP"'(*)(l - p)™-"'(*)|i)|'iw(0) (33) 

i 

with perhaps extra phases. Most of the weight in this state is concentrated on strings 
with approximately pm I's, like in a Bernoulli experiment. For each set of control qubits, 
we obtain some portion, written on the counting register of that set. We denote the n 
portions by we,W2e---W2ne- We can now apply the unitary version of the classical algorithm 
which computes an exponentially close approximation of 6 given the portions w. If we call 
this procedure T, we have: 

\we)\'W29) ■ ■ ■ |'W2"e)|0) — > \we)\w29) ■ ■ ■ \w2^9)\9) (34) 

We now have 9 written down on the last register. Let us denote by Q' the unitary 
operation which the algorithm applies so far. It is tempting to think that Q' is the desired 

transformation, |0) =^ \^q)®\9). This is not true. Actually, Q' is exponentially 

O' 

close to l^'e) (g) |0) (g) |0) ^ \^ e) \9) ® \garbagee) , 

where the last register consists of all the control qubits and ancilla qubits which we 
have used during the computation. The reason for the fact that Q' is not exactly Q, is 
that in the classical coin tossing, there is an exponentially small probability to get result 



which is very far from the expected number of I's, mp. This translates in equation 33 
to the appearance, with exponentially small weight, of strings i which are very far from 
the expected number of I's mp. We now want to ask, why do the garbage qubits matter. 
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These qubits carry information which is no longer needed, but never the less are entangled 
with the rest of the computer. The point is that their existence might prevent interference 
in future computation. We will develop tools to think about interference in section 9, but 
roughly, garbage has the same effect as interaction with the environment, which is known 
to cause decoherence. How to get rid of the garbage? The problem is that we cannot simply 
erase the garbage by setting all the garbage qubits to 1 0) , because the transformation that 
takes a general state to |0) is not unitary. Fortunately, in our case there is a unitary 
transformation that erases the garbage. We do the following: We copy 6, which is written 
on the last register, on an extra register which is initialized in the state |0). The copying 
is done bit by bit, using polynomially many CNOT gates. We now apply in reverse order 
the reverse of all transformations done so far in the algorithm, except for the CNOT gates. 
The overall transformation is exponentially close to the following sequence of operations: 
apply Q, then copy 9 and then apply Q~^. This sequence of operation indeed achieves the 
desired transformation without garbage: 

|^'e>®|0)®|0)®|0) =^ \^e)'^\9)CS\garbagee)^\0) ^^^^^ates 
\^e)®\9)®\garhagee)®\9) ^ O |0) |0) 

One can save many qubits by erasing garbage in the middle of the computation, when it 
is no longer needed, and using these erased qubits as register in the rest of the computation. 
A different proof of this lemma can be found in |7^, where QFFT over Z2 is used. □ 

This concludes the Fourier transform algorithm. Kitaev's procedure of writing the 
eigenvalue down implies a very simple alternative factorization algorithm. The way an 
integer is factorized is done again by finding the order of a number Y which is coprime 
to N . (Recall that the order of Y is the least r such that Y^ = 1 mod N.) Consider the 
unitary transformation U : \g) > — > \gY mod N). The eigenvectors of U, {l^*)}, are exactly 
the linear superpositions of all configurations in the subgroup {Y,Y'^ ,Y^ , ...Y^}, or any 
coset of this subgroup, {gY, gY"^ , gY^ , ...gY"^}, with appropriate phases: 

j j 

The eigenvalues of U hold information about r! The idea would be to apply Kitaev's 
lemma, write down 9 = lira/r and deduce r from it. 

We start with the basis state |0), which can be written as an equal superposition of 
all eigenvectors: |0) = J2a \ ^a), as you can easily check. Applying Kitaev's lemma on the 
state |0) we get on the second register all eigenvalues written with uniform probability. We 
now measure this register, which carries an exponentially close approximation of 2iTa/r. 
We divide by 27r to get c, an exponentially good approximation of a/r. Now, using the 
method of continued fraction, like in Shor's algorithm, we find the closest fraction to c 
with denominator less than A^. With high enough probability a and r are coprime, so we 
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get r in the denominator. If not, the denominator does not satisfy y = 1 modN, and we 
repeat the experiment again. Here is a summary of the algorithm: 



Factorization a la Kitaev 



Eal^a)|0") 

Apply Kitaev's transformation |^'a)|0) 



\^a)\2TTa/r) 



Ea\^a)\2na/r) 

Measure the second register. Classically compute r from the outcome. 



Factorization can be viewed as finding the order of elements in Abelian groups. Many 
people tried to generalize Shor's and Kitaev's algorithms to non- Abelian groups. It is con- 
jectured that Fourier transforms over non-Abelian groups would be helpful tools, however 
they are much more complicated operations since the Fourier coefficients are complex ma- 
trices, and not complex numbers! Bealsp^] made the first (and only) step in this direction 
by discovering an efficient quantum Fourier transform algorithm for the non-Abelian per- 
mutations group, Sn, building on the classical FFT over Sn [ 



6^ . Beals was motivated 



by an old hard problem in computer science: Given two graphs, can we say whether they 
are isomorphic (i.e one is simply a permutation of the other) or not. This problem is 
not known to be NP— complete, but the best known algorithm is exponential. It is still 
not known whether Beals' Fourier transform can be used for solving graph isomorphism. 
A very interesting open question is whether efficient quantum Fourier transforms can be 
done over any group, and can they be used to solve other problems. 



8 Grover's Algorithm for Finding a Needle in a Haystack 

Grover's algorithm is surprising and counter intuitive at first sight, though it achieves 
only a polynomial (quadratic) improvement over classical algorithms. It deals with the 
database search problem. Suppose you have access to an unsorted database of size A''. You 
are looking for an item i which satisfies some property. It is easy to check whether the 
property is satisfied or not. How long will it take you to find such an item, if it exists? If 
you are using classical computation, obviously it can take you steps. If you are using 
probabilistic classical computation, you can reduce it to N/2 expected steps. But if you 
are using a quantum computer, you can find the item in 0{^/N) steps! I will present here 
the algorithm which was found by Grover |llC| ] in 1995. However, I will use here a different 
representation of the algorithm, which is mainly based on the geometrical interpretation 
by Boyer et.al. [||, ||. 
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The algorithm works as follows. Set log(N) = n, and let us define a function / : 
{0,1}" I — > {0,1} where /(i) = if the i'th item does not satisfy the desired property, 
and f{i) = 1 in the case it docs. Let t be the number of items such that /(z) = 1. For the 
moment, we assume that t = 1. The algorithm operates in the Hilbert space of n qubits. 
Its main part actually works in a subspace of dimension 2 of this space. This subspace is 
the one which is spanned by the two vectors: 




We begin by applying a FT on |0) which generates the uniform vector \a), using n 
Hadamard gates. We now want to rotate the vector in the two dimensional subspace 
spanned by \a) and so that eventually we have large projection on the direction or- 
thogonal to 1 6), which is exactly the item we want. The idea is that a rotation by the 
angle 20, is equivalent to two reflections, first with respect to \a), and then with respect 
to \b). We define a Boolean function g{i) to be only for i = 0, and 1 for the rest. 
A reflection around |0) is obtained by Rq : \i) i — > (— l)^(*)|z). A reflection around \a) 
is achieved by: Ra = FT o Rq o FT. To reflect around \b), apply the transformation: 
Rb '■ K) ' — A rotation by an angle 29 is achieved by applying RaRb- 



Grover's algorithm 

Apply Fourier transform on |0) to get \a). 
Apply RaRb \/iV7r/4 times. 
Measure all bits. 



The crucial point is that 9 satisfies cos(6') = y^^^ so for large N, we have 

9 «i sin(6') = (36) 

Therefore after 0{y/N) rotations, with high probability the measurement yields an item 
satisfying f{i) = 1. Note that this algorithm relies heavily on the assumption that the 
number of "good" items is one. If for example the number of "good'' items is t = 2 , 
we will have almost probability to measure a "good" item, exactly when we expect this 
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probability to be almost one! There are several ways to generalize this algorithm to the 
general case where the number of "good" items is not known. One is a known classical 



reduction [ |192[ |. Another generalization was suggested in |44]. This suggestion not only 
finds a "good" item regardless of what the number, t, of "good" items is, but also gives 
a good estimation of t. The idea is that the probability to measure a "good" item is a 
periodic function in the number of Grover's iteration, where this period depends on t in 
a well defined way. The period can be found using ideas similar to what is used in Shor's 
algorithm, by Fourier transforms. Grover's algorithm can be used to solve NP complete 
problems in time V^, instead of the classical 2" , which simply goes over all the 2"" items 
in the database. 

Grover's algorithm provides a quadratic advantage over any possible classical algorithm, 
which is optimal, due to Bennett et.al.\36, 204], a result which I will discuss when 



dealing with quantum lower bounds in section Let me now describe several variants 
on Grover's algorithm, all using Grover's iteration as the basic step. (These variants and 



others can be found in Refs. g^, |lTl|, |3, [lT2|, |4|, g|] and [|TT 



Estimating the median to a precision e.[113. 111 ] 



/ is a function from {1, ..N} to {1, ..N} where N is extremely large. We are 
given e > 0, We want to find the median M, where we allow a deviation by e, 
i.e. the number of items smaller than M should be between ^i^^. We also 
allow an exponentially small (in 1/e) probability for an error. 

We assume that is very large, and so only polylog(A^) operations are considered feasible. 
Classically, this means that the Median cannot be computed exactly but only estimated 
probabilistically. A classical probabilistic algorithm cannot do better than sample random 
elements f{i), and compute their median. An error would occur if more than half the 
elements are chosen from the last items, or from the first items. For these events 



to have exponentially small probability, we need O(^) samples, by Chernoff's law[73|. 
The following quantum algorithm performs the task in O(^) steps. 

The idea is to find M by binary search, starting with some value, Mq, as a guess. 
We will estimate up to precision e, the number \rj\ such that (1 + rj)N/2 items satisfy 
f{i) > Mo, This will take us 0{\) steps. We can now continue the binary search of M, 
according to the r] which we have found. Note that since we do not have information 
about the sign of r/, a simple binary search will not do, but a slight modification will. 
Each step reduces the possible range of M by a factor of half, and thus the search will 
take polylog(A^)0(^) steps. It is therefore enough to estimate Irj] in O(^) steps, given a 
guess for the median, Mq. Here is how it is done. 

We define /o(i) = 1 if f{i) > Mq, and /o(i) = if f{i) < Mq. Our basic iteration wih 
be a rotation in the subspace spanned by two vectors: 
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2"-l 

, i 

la 



2^n 2'"' 

i=V|i), |/3) = 4=E(-l/°^'^N) (37) 



Let I7) be a vector orthogonal to |/3) in the two dimensional subspace. The angle between 
I a) and I7), is ~ sin(^) = r/. Rotation by 29 can be done like in Grover's algorithm. 
We start with \a) and rotate by 26 ^ times. The angle between our vector and \a) is 
rj/e. We can now project on \a) (by rotating |a) to |0) and projecting on |0)). The result 
is distributed like a coin flip with bias cos^(?7/e). We can repeat this experiment poly(^) 
number of times. This will allow us to estimate the bias cos^ {rj/e) and from it |ry|/e, up 
to a 1/4, with exponentially small error probability. Thus we can estimate jryl up to e/4 
in 0(i) time. 

Estimating the mean to a precision e. 

/ is a function from {1, ..A^} to [—0.5,0.5], where N is assumed to be very 
large. We are given e > 0, We want to estimate the mean M up to a precision 
e. 

Again, classically, this will take O(t-), assuming that is extremely large. Grover sug- 



gested a quantum algorithm to solve this problem in O(^) steps [111]. Instead of showing 
Grover's version, I will show a simple classical reduction [ [199| which allows solving the 
mean estimation problem given the median algorithm. The idea is that for Boolean func- 
tions the mean and median problems coincide. We write the real number /(i), which is 

between —0.5 to 0.5 in its binary representation: f{i) = 0./i(i)/2(i)/3(«) up to log(|) 

digits, where fj{i) is the j'th bit of f{i). Hence, fj{i) are Boolean functions. We can 
denote by Mj the mean of which can be estimated by the median algorithm. The 
mean of / can be computed from /(*) = ij! Si = Z)j Mj. Cutting 

the number of digits causes at most | error in M. Each Mj will be estimated to precision 
e/2, and this will cause | additional error all together. 

Finding the minimum 

/ is a function from {1, ..N} to {1, ..A^} . We want to find i such that f(i) is 
minimal. 



Classically, this will take 0{N), if the database is not sorted. Durr and Hoyer]87|] show 
a quantum algorithm which finds the minimum in 0{^/N). This is done by a binary 
search of the minimum: At each step j , we have a threshold Oj. This defines a function: 
fj{i) = 1 if /(i) < 9j, and fj{i) = otherwise. 6*0 is fixed to be N/2, i.e. in the middle 
of the interval [1, ...N]. Then we apply Grover's search, to find an i such that /o(i) = 1- 
If we find such an i, we fix the new threshold, 9i to be f{i). Else, we fix 9i = SN/A, i.e. 
in the middle of the interval [A^/2, ...A^]. We continue this binary search until the current 
interval has shrunk to the size of one number. This is the minimum. 
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Grover's iteration can be used to achieve a quadratic gap also between quantum and 
classical communication complexity [p2|, an issue which is beyond of the scope of this 
review. 

9 What Gives Quantum Computers their (Possible) Extra 
Power 

Let us ask ourselves why quantum computers can perform tasks which seem hard or 
impossible to do efficiently by classical machines. This is a delicate question which is still 
an issue of debate. One way to look at this question is using Feynman's path integrals. 
We will associate a diagram with a computation, in which the vertical axis will run over 
all 2" possible classical configurations, and the horizontal axis will be time. Here is an 
example of such a diagram: 




I(g)H HC^I I®H 



In this diagram, the state is initially The operation H is applied thrice: First on 
the first bit, then on the second bit and then again on the first bit. The numbers near 
the edges indicate the probability amplitude to transform between configurations weights: 
— 1 corresponds to — and 1 corresponds to Let us now compute the weight of each 
basis state in the final superposition. This weight is the sum of the weights of all paths 
leading from the initial configuration to the final one, where the weight of each path is the 
product of the weights on the edges of the path. 

Quantum : Prob(j) = | ^ w(d)p (38) 

One can see that in the above diagram the weights of 10 and 00 in the final superposition 
are zero, because the two paths leading to each one of these states cancel one another. 

What can we learn from this diagram? In order to analyze this diagram, I would like 
to define a classical computation model, called stochastic circuits which can be associated 
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with very similar diagrams. The comparison between the two models is quite instructive. 
The nodes in a stochastic circuit have an equal number of inputs and outputs, like nodes 
in a quantum circuit. Instead of unitary matrices, the nodes will be associated with 
stochastic matrices, which means that the entries of the matrices are positive reals, and 
the columns are probability distributions. Such matrices correspond to applying stochastic 
transformations on the bits, i.e. a string i transforms to string j with the probability which 
is equal to the matrix entry Rij. For example, let R be the stochastic matrix on one bit: 




This matrix takes any input to a uniformly random bit. Consider the probabilistic com- 
putation on two bits, where we apply R on the first bit, then on the second bit, and then 
again on the first bit. The diagram we get is: 




I(S)R R^I I(S)R 



where the weights of all edges are 2 • Just like in quantum computation, the probability 
for a configuration in the final state is computed by summing over the weights of all paths 
leading to that configuration, where the weight of each path is the product of the weights 
of the edges participating in the path. 

Stochastic : Prob(j) = ^ Prob(d) (40) 

d:iH-»j 

In this diagram all the configurations in the final state have probability |. 

We now have two models which are very similar. It can be easily seen that stochastic 
circuits are equivalent to probabilistic TM. This means that we can find the advantage 
of quantum computation over classical computation in the difference between quantum 
circuits and stochastic circuits. It is sometimes tempting to say that quantum computation 
is powerful because it has exponential parallelism. For n particles, the vertical axis will 
run over 2" possible classical states. But this will also be true in the diagram of stochastic 
computation on n bits! The difference between quantum and classical computations is 
therefore more subtle. 
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To reduce the difference between the two models even further, it can be shown 1 38] 
that the complex numbers in quantum computation can be replaced with real numbers, 
without damaging the computational power. This is done by adding an extra qubit to 
the entire circuit, which will carry the information of whether we are working in the real 
or imaginary part of the numbers. The correspondence between the superpositions of the 
complex circuit to the real circuit will be: 

^c,K) ^^i2e(Q)|i,0) + /m(Q)|i,l> (41) 

i i 

Hence quantum computers maintain their computational power even if they use only 
real valued unitary gates. There are two differences between these gates and stochastic 
gates. One is that stochastic gates have positive entries while real unitary gates have 
positive and negative entries. The other difference is that unitary gates preserve the L2 
norm of vectors, while stochastic gates preserve Li norm. The difference between the 
quantum and classical models can therefore be summarized in the following table: 



Quantum Stochastic 
Negative + Positive Positive 
L2 Norm Li Norm 

Why are negative numbers so important? The fact that weights can be negative allows 
different paths to cancel each other. We can have many non-zero paths leading to the 
same final configuration, all cancelling each other, causing destructive interference. This 
is exactly what happens in Deutsch and Jozsa's algorithm, Simon's algorithm and Shor's 
algorithm, where the paths that lead to "bad" strings in the last step of the algorithm 
are destructively interfering, and at the same time paths that lead to "good" strings are 
constructively interfering. In the probabilistic case, interference cannot occur. Paths 
do not talk to each other, there is no influence of one path on the other. Probabilistic 
computation has the power of exponentiality, but lacks the power of interference offered 
by computation that uses negative numbers. An exponential advantage in computational 
power of negative numbers is already familiar from classical complexity theory, when 
comparing Boolean circuits with monotone Boolean circuits |191| ]. 

There are other computational models which exhibit interference, such as optical com- 
puters. However, these models do not exhibit exponentiality. It is only the quantum model 
which combines the two features of exponential space which can be explored in polynomial 
time, together with the ability of interference. (See also Q.) 

Another point of view of the origin of the power of quantum computation is quantum 
correlations, or entanglement. Two qubits are said to be entangled if their state is not in 
tensor product, for example the EPR pair -^(|00) -|- |11)). In a system of n qubits, the 

entanglement can be spread over macroscopic range, like in the state -T^dO") + ll")), or 
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it can be concentrated between pairs of particles like in the state {S)n/2 '^(\^^) + I -'--'-) )■ 
It can be shown that quantum computational power exists only when the entanglement 
is spread over macroscopically many particles. If the entanglement is not macroscopically 
spread, the system can be easily simulated by a classical computer Q. For the importance 
of entanglement see for example Jozsa's review|118|. This macroscopic spread of entan- 
glement lies in the essence of another important topic, quantum error correcting codes, 
which we will encounter later. 



10 What We Cannot Do with Quantum Computers 

Now that we have all this repertoire of algorithms in our hands, it is tempting to try 
and solve everything on a quantum computer! Before doing that, it is worthwhile to 
understand the limitations of this model. The first thing to know is that this model 
cannot solve any question which is undecidable by a classical machine. This is simply due 
to the fact that anything that can be done in this model can be simulated on a classical 
machine by computing the coefficients of the superposition and writing them down. This 
will take an exponential amount of time, but finally will solve anything which can be done 
quantumly. Therefore the only difference between classical and quantum computation lies 
in the computational cost. 

The trivial simulation of quantum computers by classical machines is exponential both 



in time and space. Bernstein and Vazirani[38| showed that classical Turing machines can 



simulate quantum computers in polynomial space, although still in exponential time: 
Theorem 6 (Bernstein, Vazirani) BQP C P space 

The theorem means that anything that can be done on a quantum machine can be 
done by a classical machine which uses only polynomial space. To prove this result, have 
another look on the Feynman path graph presented in Sec. 9. To compute the weight 
of one path, we need only polynomial space. We can run over all paths leading to the 
same configuration, computing the weight one by one, and adding them up. This will give 
the probability of one configuration. To compute the probability to measure 0, we add 
the probabilities of all the configurations with the result bit being 0. This again will take 
exponential time, but only polynomial space. I 

Valiant improved this result [^] to show that BQP is contained in a complexity class 
which is weaker than P space, namely P*^, which I will not define here. It might still 
be that quantum computation is much less powerful, but we still do not have a proof for 
that. In particular, the relation between BQP and NP is not known yet. 

We do understand a lot about the following question: 

Can quantum computation be much more efficient than classical computation 
in terms of number of accesses to the input? 
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Consider accessing the n input bits Xi, for a problem or a function via an oracle, 

i.e. by applying the unitary transformation: 

\i)\0) ^ \i)\X,) (42) 

This unitary transformation corresponds to the classical operation of asking: "what is the 
i'th bit? " and getting the answer Xi. One might hope to make use of quantum parallelism, 
and query the oracle by the superposition l/'^/NJ^i ' — ^ l/V^Z^i 
query to the oracle, the algorithm can read all the bits, so intuitively no quantum 
algorithm needs more than one query to the oracle. It turns out that this intuition is 
completely wrong. It can be shown, using the notion of von Neumann entropy (see ]161| ) 
that there are no more than log{N) bits of information in the state \ / ^/N ^i\i)\Xi) . 
Bennett eta/. [36] show that if the quantum algorithm is supposed to compute the OR of 
the oracle bits Xi, then at least 0{^/N) queries are needed. Note that OR is exactly 

the function computed by Grover's database search. Hence this gives a lower bound of 



0{y/N) for database search, and shows that Grover's algorithm is optimal. 

Theorem 7 Any quantum algorithm that computes OR{Xi...Xn) requires at least 0{^/N) 
steps. 

The idea of the proof is that if the number of the queries to the oracle is small, there exists 
at least one index i, such the algorithm will be almost indifferent to Xi, and so will not 
distinguish between the case of all bits and the case that all bits are zero except Xj = 1. 
Since the function which the algorithm computes is OR, this is a contradiction. 



Beals et. al. \ 23 1 recently generalized the above result building on classical results by Nisan 
and Szegedi[154]. Beals et.al. compare the minimal number of queries to the oracle which 
are needed in a quantum algorithm, with the minimal number of queries which are needed 
in a classical algorithm. Let us denote by D{f) and Q{f) the minimal number of queries 
in a classical and quantum algorithm respectively. Beals et.a/. show that D{f) is at 
most polynomial in Q{f). 

Theorem 8 D{f) = 0{Q{ff) 

Beals et. al. use similar methods to give lower bounds on the time required to quantumly 
compute the functions MAJORITY, PARITYQ, OR and AND: 



OR 




AND 




PARITY 


N/2 


MAJORITY 


e{N) 



(Here / = @{g) means that / and g behave the same asymptotically.) The lower 
bounds are achieved by showing that the number of times the algorithm is required to 
access the input is large. This is intuitive, since these functions are very sensitive to their 
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input bits. For example, the string 0^ satisfies Oi2(0^) = 0, but flipping any bit will give 
OR{0^-H) = 1. 

The meaning of these results, is that in terms of the number of accesses to the input, 
quantum algorithms have no more than polynomial advantage over classical algorithms | 1 59 1. 
This polynomial relation can give us a hint when looking for computational problems in 
which quantum algorithms may have an exponential advantage over classical algorithms. 
These problems will have the property that in a classical algorithm that solves them, the 
bottle neck is the information processing, while the number of accesses to the input can be 
very small. Factorization is exactly such a problem. D(f) is log{N), because the algorithm 
simply needs to read the number N in binary representation, but the classical informa- 
tion processing takes exponential in log{N) steps. Shor's quantum algorithm enables an 
exponential speed up in the information processing. An opposite example is the database 
search. Here, the bottle neck in classical computation is not the information processing 
but simply the fact that the size of the input is very large. Indeed, in this case, quantum 
computers have only quadratic advantage over classical computers. 

Now that we understand some of the limitations and advantages of the quantum model, 
let us go on to the subject of quantum noise. 



11 Worries about Decoherence, Precision and Inaccuracies 



Learning about the possibilities which lie in quantum computation gave rise to a lot of 
enthusiasm, but many physicist 1 135, 189, 57, 1£] were at the same time very sceptic about 
the entire field. The reason was that all quantum algorithms achieve their advantage 
over classical algorithms when assuming that the gates and wires operate without any 
inaccuracies or errors. Unfortunately, in reality we cannot expect any system to be ideal. 
Quantum systems in particular tend to lose their quantum nature easily. Inaccuracies 
and errors may cause the damage to accumulate exponentially fast during the time of the 



computation [57, 17, 19, 149]. In order to perform computations, one must be able to 



reduce the effects of inaccuracies and errors, and to correct the quantum state. 

Let us try to understand the types of errors and inaccuracies that might occur in a 
quantum computer. The simplest problem is that the gates perform unitary operations 
which slightly deviate from the correct ones. Indeed, it was shown by Bernstein and 
Vazirani|38] that it suffices that the entries of the gates are precise only up to 1/n, where 
n is the size of the computation. However, it is not reasonable to assume that inaccuracies 
decrease as 1/n. What seems to be reasonable to assume is that the devices we will use 
in the laboratory have some finite precision, independent of the size of the computation. 
Errors, that might occur, will behave, presumably, according to the same law of constant 
probability for error per element per time step. Perhaps the most severe problem was 

Decoherence is the physical process, in which 



that of decoherence^^, |l8|, |0|, |5|, |lOC 
quantum system lose some of their quantum characteristics due to interactions with envi- 
ronment. Such interactions are inevitable because no system can be kept entirely isolated 
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from the environment. The effect of entanglement with the environment can be viewed as 
if the environment apphed a partial measurement on the system, which caused the wave 
function to collapse, with certain probability. This collapse of the wave function seems to 
be an irreversible process by definition. How can we correct a wave function which has 
collapsed? 

In order to solve the problem of correcting the effects of noise, we have to give a formal 
description of the noise process. Observe that the most general quantum operation on 
a system is a unitary operation on the system and its environment. Noise, inaccuracies, 
and decoherence can all be described in this form. Formally, the model of noise is that in 
between the time steps, we will allow a "noise" operator to operate on the system and an 
environment. We will assume that the environment is renewed each time step, so there are 
no correlations between the noise processes at different times. Another crucial assumption 
is that the noise is local. This means that each qubit interacts with its own environment 
during the noise process, and that there are no interactions or correlations between these 
environments. In other words, the noise operator on n qubits, at each time step, can be 
written as a tensor product of n local noise operators, each operating on one qubit: 

£ = £i ^ £2 ^ ■ ■ ■ ^ £n- 

If the qubits were correlated in the last time step by a quantum gate, the local noise 
operator operates on all the qubits participating in one gate together. This noise model 
assumes that correlations between errors on different qubits can only appear due to the 
qubits interacting through a gate. Otherwise, each qubit interacts with its own environ- 
ment. 

The most general noise operator on one qubit is a general unitary transformation on 
the qubit and its environment: 

|e)|0) ^ |eo)|0) + |e^)|l) (43) 
|e)|l)-|ei)|l)+ \e\m 

When qubits interact via a gate, the most general noise operation would be a general 
unitary transformation on the qubit participating in the gate and their environments. 

When dealing with noise, it is more convenient to use the language of density matrices, 
instead of vectors in the Hilbert space. I will define them here, so that I can explain the 
notion of "amount of noise" in the system, however they will rarely be used again later in 
this review. The density matrix describing a system in the state \a) is p = \a){a\. The 
density matrix of part A of the system can be derived from p by tracing out, or integrating, 
the degrees of freedom which are not in A. The unitary operation on the environment 
and the system, which corresponds to quantum noise, can be viewed as a linear operator 
on the density matrix describing only the system. As a metric on density matrices we 
can use the fidelity! 201], or the trace metric^], where the exact definition does not matter 



now. Two quantum operations are said to be close if when operating on the same density 
matrix, they generate two close density matrices. We will say that the noise rate in the 



56 



system is r] if each of the local noise operators is within r/ distance from the identity map 
on density matrices. 

We now want to find a way to compute fault tolerantly in the presence of noise rate 
T], where we do not want to assume any knowledge about the noise operators, except the 
noise rate. We will first concentrate on a simple special case, in which the computation 
consists of one time step which computes the identity operator on all qubits. This problem 
is actually equivalent to the problem of communicating with noisy channels. In order to 
understand the subtle points when trying to communicate with noisy channels, let us 
consider the classical analogous case. Classical information is presented by a string of bits 
instead of qubits, and the error model is simply that each bit flips with probability 77. 

Suppose Alice wants to send Bob a string of bits, and the channel which they use 
is noisy, with noise rate rj, i.e. each bit flips with probability rj. In order to protect 
information against noise, Alice can use redundancy. Instead of sending k bits, Alice will 
encode her bits on more bits, say n, such that Bob can apply some recovery operation to 
get the original k bits. The idea is that to first approximation, most of the bits will not 
be damaged, and the encoded bits, sometimes called the the logical bits, can be recovered. 
The simplest example of a classical code is the majority code, which encodes one logical 
bit on three bits. 

Oi — .Ol = 000 , li — >1l = 111 

This classical code corrects one error, because if one bit has flipped, taking the majority 
vote of the three bits still recovers the logical bit. However, if more then one bit has 
flipped, the logical bit can no longer be recovered. If the probability for a bit flip is rj, 
then the probability that the three bits cannot be recovered, i.e. the effective noise rate 
rje, equals: 

rje = 3?7^(1 -rj) + 'rf . 

If we require that we gain some advantage in reliability by the code, then rje < rj implies 
a threshold on rj, which is 77 < 0.5. If rj is above the threshold, using the code will only 
decrease the reliability. 

The majority code becomes extremely non efficient when Alice wants to send long 
messages. If we require that Bob receives all the logical bits with high probability of being 
correct, Alice will have to use exponential redundancy for each bit. However, there are 
error correcting codes which map k bits to m = 0{k) bits, such that the probability for 
Bob to get the original message of k bits correct is high, even when k tends to infinity. 
A very useful class of error correcting codes are the linear codes, for which the mapping 
from k bits to n bits is linear, and the set of code words, i.e. the image of the mapping, is 
a linear subspace of F2". A code is said to correct d errors if a recovery operation exists 
even if d bits have flipped. The Hamming distance between two strings is defined to be 
the number of coordinates by which the two strings differ. Being able to recover the string 
after d bit flips have occurred implies that the distance between two possible code words is 
at least 2d + 1, so that each word is corrected uniquely. For an introduction to the subject 
of classical error correcting codes, see van Lint jl39| ]. 
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We define a quantum code in a similar way. The state of k qubits is mapped into the 
state of m qubits. The term logical state is used for the original state of the k qubits. We 
say that such a code corrects d errors, if there exists a recovery operation such that if not 
more than d qubits were damaged, the logical state can still be recovered. It is important 
here that Bob has no control on the environment with which the qubits interacted during 
the noise process. Therefore we require that the recovery operation does not operate on 
the environment but merely on the m qubits carrying the message and perhaps some 
ancilla qubits. The image of the map in the Hilbert space of m qubits will be called a 
quantum code. 

Let us now try to construct a quantum code. Suppose that Alice wants to send Bob a 
qubit in the state co|0) + ci|l). How can she encode the information? One way to do this 
is simply to send the classical information describing cq and ci up to the desired accuracy. 
We will not be interested in this way, because when Alice wants to send Bob a state of n 
qubits, the amount of classical bits that needs to be sent grows exponentially with n. We 
will want to encode qubits on qubits, to prevent this exponential overhead. The simplest 
idea that comes to mind is that Alice generates a few copies of the same state, and sends 
the following state to Bob: 

co|0) + ci|l) ^ (co|0) + ci|l)) (co|0) + ci|l)) (co|0) + ci|l)) . 

Then Bob is supposed to apply some majority vote among the qubits. Unfortunately, a 
quantum majority vote among general quantum states is not a linear operation. Therefore, 
simple redundancy will not do. Let us try another quantum analog of the classical majority 
code: 

co|0) + ci|l)! — ^co|000)+ci|lll) 

This code turns out to be another bad quantum code. It does not protect the quantum 
information even against one error. Consider for example, the local noise operator which 
operates on the first qubit in the encoded state co|000) + ci|lll). It does nothing to that 
qubit, but it changes the state of the environment according to whether this bit is or 1: 

|0)®|e) ^ |0)®|eo) (44) 
|l)(8)|e) ! — > |l)0|ei) 

Here (eo|ei) = 0. Even though only an identity operation was applied on the first bit, the 
fact that the environment changed according to the state of this bit is equivalent to the 
environment measuring the state of the first qubit. This measurement is an irreversible 
process. After the noise operation, the environment is no longer in a tensor product with 
the state. Bob can only apply local operations on his system, and cannot control the 
environment. This means that the entanglement between the state of the first qubit, and 
the environment cannot be broken during the recovery operation; the coherence of the 
state is lost. A theorem due to Schumacher and Nielsen [ fl69| ] formalizes this intuition. 
The claim is that if the reduced density matrix of the environment is different for different 
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code words, then there is no unitary operation that operates on the system and recovers 
the logical state. 



Theorem 9 It is impossible to recover the logical state, if information about it has leaked 
to the environment via the noise process. 

This theorem underlines the main distinction between quantum error correcting codes 
and classical error correcting codes. Quantum codes try to hide information from the 
environment, In contrast, the protection of classical information from noise, is completely 
orthogonal to the question of hiding secrets. The theorem gives us insight as to the basic 
idea in quantum computation: The idea is to spread the quantum information over more 
than d qubits, in a non-local way, such that the environment which can access only a 
small number of qubits can gain no information about the quantum logical state, and this 
information will be protected. Now, that we have some intuition about the requirements 
from quantum codes, we can proceed to show how to construct such codes. 

12 Correcting Quantum Noise 

In order to succeed in correcting quantum noise, we need to consider more carefully the 
process of noise. The first and most crucial step is the discovery that quantum noise can 
be treated as discrete. In the quantum setting, we assume all qubits undergo a noise of size 
rj. We want to replace this with the case in which a few qubits are completely damaged, 
but the rest of the qubits are completely fine. This can be done by rewriting the effect of 
a general noise operator. Let the state of m qubits be If the noise rate is rj, we can 
develop the operation of a general noise operator operating on \a) by orders of magnitude 

of T]-. 

£i£2....£m\a) = 




ih + r,£'i){h + r,£'2).:{Im + ri£'m)\a) = 

hh-.ImW) + V {£'lh-Im + ... + Ill2...Im-l£'m) !«) + ....+ {£' l£' 2 ■ ■ ■£' m) W) . 



The lower orders in rj correspond to a small number of qubits being operated upon, 
and higher orders in rj correspond to more qubits being contaminated. This way of writing 
the noise operator is the beginning of discretization of the quantum noise, because in each 
term a qubit is either damaged or not. For small rj, we can neglect higher order terms 
and concentrate in the lower orders, where only one or two qubits are damaged out of m. 
A special case of this model is the probabilistic model, in which the local noise operator 
applies a certain operation with probability rj and the identity operation with probability 
{1 — Tj). In this model, if the quantum system consists of m qubits, we can assume that 
with high probability only a few of the qubits went through some noise process. There 
are noise operators, such as amplitude damping, which do not obey this probabilistic 
behavior. However their description by equation (|45| ) shows that we can treat them in the 
same discrete manner. 




(45) 
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The second step is the discretization of the noise operation itself. The most general 
quantum operation on the k'th. qubit and it's environment is described by: 



\e)\Ok) ^ |eo)|Ofc)+ |e^)|lfc) 
\e)\h) ^ |ei)|lfc)+ |e?)|Ofc) 

This operation, applied on any logical state co|Ol) + ci|1l) 
operator: 



(46) 



acts as the following 



(coIOl) + cilU)) ^ (|e+)J+ |e_)a,^ + |e^+)a^ - \e'L)ia^) {co\Ol) + cijU)) , 
Where af are the Pauli operators acting on the /c'th qubit: 
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(47) 



(48) 



The environment states are defined as \e±) = (|eo) ± |ei))/2, |ej_) = (leg) ± \e[))/2. The 
most crucial observations, which enables to correct quantum errors, hide in equation 47. 
The first observation is that everything that can happen to a qubit is composed of four 
basic operations, so it is enough to correct for these four errors|35 



1, tL29|. This resembles 



a discrete model more than a continuous one, and gives hope that such discrete errors can 
be corrected. The second crucial point is that the states of the environment which are 
entangled with the system after the operation of noise, are independent of (co|Ol) + ci|1l)) 
and depend only on which of the four operations were applied. In particular, for any 
superposition of the logical states |0l), llz,), the operator will look the same. This suggests 
the following scheme of breaking the entanglement of the system with the environment. 
The idea is to measure which one of the four possible operators was applied. This is called 
the syndrome of the error. Measuring the syndrome will collapse the system to a state 
which is one of the following tensor products of the system and the environment: 



(|e+) 



e*_X (co|Ol) + ci|1l)) 



measure 



|e+)T(co|OL) + ci|lL; 
\e.)al(cQ\QL) + ci\Il) 
\e\)al{co\QL) + ci\Il) 
\et)ial(cQ\f)L) + ci\Il\ 



(49) 

After we know which of the operators had occurred, we can simply apply its reverse, and 
the state colO^,) + ci|1l) will be recovered. This reduces the problem of error correction to 
being able to detect which of the four operators had occurred. The operator ax corresponds 
to a hit flip, which is a classical error. This suggests the following idea: If the superposition 
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of the encoded state, is a sum of strings \i) where the i's are strings from a classical 
code, then bit flips can be detected by applying classical techniques. Correcting the noise 
operator a^, which is a phase flip, seems harder, but an important observation is that 
az = HaxH, where H is the Hadamard transform. Therefore, phase flips correspond to 
bit flips occurring in the Fourier transform of the state! If the Fourier transform of the 
state is also a superposition of strings in a classical code, this enables a correction of phase 
flips by correcting the bit flips in the Fourier transform basis. This idea was discovered 



by Calderbank and Shor[p3] and Steane[18C]. 



A simple version of the recipe they discovered for cooking a quantum code goes as 
follows. Let C C -F™ be a linear classical code, which corrects d errors, such that C"*", the 
set of all strings orthogonal over F2 to all vectors in C, is strictly contained in C. We look 
at the cosets of C"*" in C, i.e. we partition C to non intersecting sets which are translations 
of C"*" of the form C"*" + v. The set of vectors in C, with the identification of w with w' 
when w — w' C"*" is called C /C'^ . For each w G C jC^ we associate a code word: 

\w) \ — ^\wl)= ^ \i^w) (50) 

where we omit overall normalization factors. Note that all the strings which appear in 
the superposition are vectors in the code C . It is easy to check that the same is true 
for the Fourier transform over Z'^ of the code words, which is achieved by applying the 
Hadamard gate, on each qubit: 

H(g)H(^....(g)H\wL) = (51) 
The error correction goes as follows. To detect bit flips, we apply the classical error 



correction according to the classical code C, on the states in equation (50). This operation, 
computes the syndrome (in parallel for all strings) and writes it on some ancilla qubits. 
Measuring the ancilla will collapse the state to a state with a specific syndrome, and we 
can compute according to the result of the measurement which qubits were affected by a 
bit flip, and apply NOT on those qubits. To detect phase flips we apply Fourier transform 
on the entire state, and correct bit flips classically according to the code C. Then we 
apply the reverse of the Fourier transform. This operation will correct phase flips, ay is a 
combination of a bit flip and a phase flip, and is corrected by the above sequence of error 



corrections 1 53] 



The number of qubits which can be encoded by this code is the logarithm with base 
2 of the dimension of the space spanned by the code words. To calculate this dimension, 
observe that the code words for different w's in C/C'^ are perpendicular. The dimension of 
the quantum code is equal to the number of different words in C/C"*", which is 2'^'^"^^'-'^'-' \ 
Hence the number of qubits which can be encoded by this quantum code is dim{C /C^). 



Here is an example, due to Steane|18C]. Steane's code encodes one qubit on seven 



qubits, and corrects one error. It is constructed from the classical code known as the 
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Hamming code, which is the subspace of spanned by the four vectors: 
C = sj9an{1010101, 0110011, 0001111, 1111111}. is spanned by the three vectors: 

1010101,0110011,0001111. Since C is of dimension 4, and is of dimension 3, the 
number of qubits which we can encode is 1. The two code words are: 
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|0l) = lOOOOOOO) + IIOIOIOI) + lOllOOU) + IllOOllO) (52) 

+10001111) + llOllOlO) + lOllllOO) + IllOlOOl) 
lU) = IllllUl) + lOlOlOlO) + llOOllOO) + lOOllOOl) 

+11110000) + loiooioi) + iiooooii) + looioiio) 

Observe that the minimal Hamming distance between two words in C is 3, so one bit 
flip and one phase flip can be corrected. 

One qubit cannot be encoded on less than 5 qubits, if we require that an error correction 
of one general error can be done. This was shown by Knill and Laflamme[129|. Such a 
code, called a perfect quantum code, was found by Bennett et al[51] and by Laflamme 



et.al. 1 134]. If we restrict the error, e.g. only bit flips or only phase flips occur than one 
qubit can be encoded on less than 5 qubits. 

The theory of quantum error correcting codes has further developed. A group the- 
oretical structure was discovered [|^, 105, |106 , |129 , |175| ], which most of the known 
quantum error correcting codes obey. Codes that obey this structure are called stabilizer 
codes [|0F 
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and their group theoretical structure gives a recipe for constructing more 
quantum codes. Quantum codes are used for purposes of quantum communication with 
noisy channels, which is out of the scope of this review. For an overview on the subject of 



quantum communication consult Refs. |21, 158] and [144]. We now have the tools to deal 
with the question of quantum computation in the presence of noise, which I will discuss 
in the next section. 



13 Fault Tolerant Computation 

In order to protect quantum computation, the idea is that one should compute on encoded 
states. The entire operation will occur in the protected subspace, and every once in a while 
an error correction procedure will be applied, to ensure that errors do not accumulate. 
The original quantum circuit will be replaced by a quantum circuit which operates on 
encoded state. Suppose we use a quantum code which encodes one qubit into a block 
of 5 qubits. Then in the new circuit, each wire will be replaced by flve wires, and the 
state of the new circuit will encode the state of the original circuit. In order to apply 
computation on encoded states, the original gates will be replaced by procedures which 
apply the corresponding operation. If $ is the encoding, [/ is a quantum gate, then 
<!>([/) should be the "encoded gate" U, which preserves the encoding. In other words, the 
following diagram should be commutative: 
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$(|a)) HU\a)) 



|a) 



U 



Hence, using a code $, which takes one qubit to m qubits, we replace a quantum 
circuit by another circuit which operates on encoded states, in this circuit 



• 1 qubit 



m qubits 



• A gate U I — > ^{U) 

• Every few time steps, an error correction procedure is apphed. 

However, this naive scheme encounters deep problems. Since quantum gates create 
interactions between qubits, errors may propagate through the gates. Even a small number 
of errors might spread to more qubits than the error correction can recover. Moreover, we 
can no longer assume that the recovery operation is error free. The correction procedure 
might cause more damage than it recovers. Consider, for example, a code $ that takes 
one qubit to 5 qubits. A gate on two qubits, U, is replaced in the encoded circuit by the 
encoded gate ^{U) which operates on 10 qubits. Let us consider two scenarios: 





^ ^ 
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In figure (a), the encoded gate is a gate array with large connectivity. An error which 
occurred in the first qubit, will propagate through the gates to five more qubits. At the 
end of the procedure, the number of damaged qubits is too large for any error correction 
to take care of. Such procedure will not tolerate even one error! In figure (6), we see an 
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alternative way to implement ^{U), in which the error cannot propagate to more than one 
qubit in each block. If the gate is encoded such that one error effects only one qubit in each 
block, we say that the encoded gate is implemented distributively. Such damage will be 
corrected during the error corrections. Of course, the error correction procedures should 
also be implemented in a distributed manner. Otherwise the errors generated during the 
correction procedure itself will contaminate the state. 

Probably the simplest gate to implement distributively is the encoded NOT gate on 
Steane's code. The encoded NOT is simply achieved by applying a NOT gate bitwise 
on each qubit in the code. The implementation of the XOR gate is applied bitwise as 
well, and the network is the same as that in figure (6), only on 7 qubits instead of five. 



However, for other gates much more work needs to be done. Shor|174|, showed a way to 
implement a universal set of gates in this way, where the implementation of some of the 
gates, and Toffoli's gate in particular, require some hard work and the use of additional 
"ancilla" or "working" qubits. Together with the set of universal encoded gates, one also 
needs an error correction procedure, an encoding procedure to be used in the beginning of 
the computation, and a decoding procedure to be used at the end. All these procedures 
should be implemented distributively, to prevent propagation of errors. A code which is 
accompanied by a set of universal gates, encoding, decoding and correction procedures, 
all implemented distributively, will be called a quantum computation code. Since Shor's 



suggestion, other computation codes were found[^, |12^ . Gottesman |106| ] has generalized 
these results and showed how to construct a computation code from any stabilizer code. 

Is the encoded circuit more reliable? The effective noise rate, ije of the encoded cir- 
cuit, is the probability for an encoded gate to suffer a number of errors which cannot be 
corrected. In the case of figure (6), one error is still recoverable, but two are not. The 
effective noise rate is thus the probability for two or more errors to occur in C/($). Let 
A denote the number of places in the implementation of U{^) where errors can occur. 
A stands for the area of U{^). The probability for more than d errors to occur can be 
bounded from above, using simple counting arguments: 

(53) 

We will refer to this bound as the effective noise rate. To make a computation of size n 
reliable, we need an effective noise rate of the order of ^. Using a code with blocks of log(n) 
qubits, Shor[^74| managed to show that the computation will be reliable, with polynomial 
cost. However, Shor had to assume that rj is as small as 0( ^^^j"^^^ ). This assumption 
is not physically reasonable , since is a parameter of the system, independent of the 
computation size. The reader is urged to play with the parameters of equation ^ in 
order to be convinced that assuming r] to be constant cannot lead to a polynomially small 
effective noise rate, as required. 




Another idea, which was found independently by several groups |]|, 125, 124, 107] was 



needed to close the gap, and to show that computation in the presence of constant noise 
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rate and finite precision is possible. The idea is simple. Apply Shor's scheme recursively, 
gaining small improvement in the effective noise rate each level . Each circuit is replaced 
by a slightly more reliable circuit, which is replaced again by yet another circuit. If each 
level gains only a slight improvement from rj to 77^^*^, then the final circuit which is the 
one implemented in the laboratory, will have an effective noise rate exponentially smaller: 

^ ^ ^1+^ ^ ^ 7?(1+^)'' 

The number of levels the recursion should be applied to get a polynomially small effective 
noise rate is only 0(log(log(n))). The cost in time and space is thus only polylogarithmic. 
A similar concatanation scheme was used in the context of classical self correcting cellular 
automata! 66, 98 1. 

The requirement that the noise rate is improved from one level to the next imposes a 
threshold requirement on ij: 

^d+i ^ ^ 

If r] satisfies the above requirement, fault tolerant computation can be achieved. This 
is known as the threshold result g |l2|, |l2|, |0§: 




Theorem 10 Fault tolerance: Quantum computation of any length can he applied 
efficiently with arbitrary level of confidence, if the noise rate is smaller than the threshold 

Vc- 

The threshold r]c, depends on the parameters of the computation code: A, the largest 
procedure's area, and d, the number of errors which the code can correct. Estimations ||5|, 
|128| , 106| , 107, 13C, 162 1 of t]c are in the range between 10~^ and 10^^. Presumably the 



correct threshold is much higher. The highest noise rate in which fault tolerance is possible 
is not known yet. 

The rigorous proof of the threshold theorem is quite complicated. To gain some insight 
we can view the final r'th circuit as a multi scaled system, where computation and error 
correction are applied in many scales simultaneously. The largest procedures, computing 
on the largest (highest level) blocks, correspond to operations on the logical qubits, i.e. 
qubits in the original circuit. The smaller procedures, operating on smaller blocks, corre- 
spond to computation in lower levels. Note, that each level simulates the error corrections 
in the previous level, and adds error corrections in the current level. The final circuit, 
thus, includes error corrections of all the levels, where during the computation of error 
corrections of larger blocks smaller blocks of lower levels are being corrected. The lower the 
level, the more often error corrections of this level are applied, which is in correspondence 
with the fact that smaller blocks are more likely to be quickly damaged. 

The actual system consists of m = nlog'^(n) qubits (where n is the size of the original 
circuit), with a Hilbert space Ti = C^"". In this Hilbert space we find a subspace, isomor- 
phic to C^" , which is protected against noise. This subspace is a complicated multi-scaled 
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construction, which is small in dimensions, compared to the Hilbert space of the system, 
but not negligible. The subspace is protected against noise for almost as long as we wish, 
and the quantum computation is done exactly in this protected subspace. The rate by 
which the state increases its distance from this subspace corresponds to the noise rate. 
The efficiency of the error correction determines the rate by which the distance from this 
subspace decreases. The threshold in the noise rate is the point where distance is de- 
creases faster than it increases. In a sense, the situation can be viewed as the operation 
of a renormalization group, the change in the noise rate being the renormalization flow. 



It should be noted that along the proof of fault tolerance, a few implicit assumptions 



were made [183]. The ancilla qubits that we need in the middle of the computation for error 
correction are assumed to be prepared in state |0) when needed, and not at the beginning 
of the computation. This requires the ability to cool part of the system constantly. It was 
shown by Aharonov et. al. |^] that if all operations are unitary, the system keeps warming 
(in the sense of getting more noise) with no way to cool, and the rate in which the system 
warms up is exponential. Fault tolerant quantum computation requires using non-unitary 
gates which enables to cool a qubit. This ability to cool qubits is used implicitly in all 
fault tolerant schemes. Another point which should be mentioned is that fault tolerant 
computation uses immense parallelism, i.e. there are many gates which are applied at 
the same time. Again, this implicit assumption is essential. If operation were sequential, 
fault tolerant computation would have been impossible, as was shown by Aharonov and 
Ben-Orj^. However, with mass parallelism, constant supply of cold qubits and a noise 
rate which is smaller than ?7c! it is possible to perform fault tolerant computation. 

The fault tolerance result holds for the general local noise model, as defined before, 
and this includes probabilistic collapses, inaccuracies, systematic errors, decoherence, etc. 
One can compute fault tolerantly also with quantum circuits which are allowed to operate 
only on nearest neighbor qubits^l ( In this case the threshold rjc will be smaller, because 
the procedures are bigger when only nearest neighbor interactions are allowed. ) In a 
sense, the question of noisy quantum computation is theoretically closed. But a question 
still ponders our minds: Are the assumptions on the noise correct? Dealing with non-local 
noise is an open and challenging problem. 



14 Conclusions and Fundamental Questions 

We cannot foresee which goals will be achieved, if quantum computers be the next step 



in the evolution of computation! 115]. This question involves two directions of research. 
From the negative side, we are still very far from understanding the limitations of quantum 
computers as computation devices. It is possible that quantum Fourier transforms are the 
only real powerful tool in quantum computation. Up to now, this is the only tool which 
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implies exponential advantage over classical algorithms. However, such a strong statement 
of the uniqueness of the Fourier transform is not known. Taking a more positive view, 
the goal is to find other techniques in addition to the Fourier transform. One of the main 
directions of research in quantum algorithms is finding an efficient solutions for a number 
of problems which are not known to be NP complete, but do not have a known efficient 
classical solution. Such is the problem of checking whether two graphs are isomorphic, 
known as Graph Isomorphism. Another important direction in quantum algorithms is 
finding algorithms that simulate quantum physical systems more efficiently. The field of 
quantum complexity is still in its infancy. 

Hand in hand with the complexity questions, arise deep fundamental questions about 
quantum physics. The computational power of all classical systems seem to be equivalent, 
whereas quantum complexity, in light of the above results, seems inherently different. If it 
is true that quantum systems are exponentially better computation devices than classical 
systems, this can give rise to a new definition of quantum versus classical physics, and 
might lead to a change in the way we understand the transition from quantum to classical 
physics. The "phase diagram" of quantum versus classical behavior can be viewed as 
follows: 



noise rate 



( | 0^0001 0.^6 I 

/K /^ 

? 

QUANTUM CLASSICAL 



Changing the noise rate, the system transforms from quantum behavior to classical 
behavior. As was shown by Aharonov and Ben-Or[Q, there is a constant 77 bounded away 
from 1 where the system cannot perform quantum computation at all. Fault tolerance 
shows that there is a constant r] bounded away from for which quantum systems ex- 
hibit their full quantum computation power. The regimes are characterized by the range of 
quantum entanglement, where in the quantum regime this range is macroscopic, and quan- 
tum computation is possible. On the right, "classical", range, entanglement is confined 
to microscopic clusters. A very interesting question is how does the transition between 
the two regimes occur. In we gave indications to the fact that the transition is sharp 
and has many characteristics of a phase transition (and see also |119| .) The order pa- 
rameter corresponds to the range of entanglement, or to the size of entangled clusters of 
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qubits. Unfortunately, we were unable yet to prove the existence of such a phase tran- 
sition, presumably because of lack of the correct definition of an order parameter that 
quantifies "quantumness over large scales". Never the less I conjecture that the transition 
from macroscopic quantum behavior to macroscopic classical behavior occurs as a phase 
transition. The idea that the transition from quantum to classical physics is abrupt stands 
in contrast to the standard view of a gradual transition due to decoherence [|205| ] . I believe 
that the flippant frontier between quantum and classical physics will be better understood 
if we gain better understanding of the transition from quantum to classical computational 
behavior. 

An interesting conclusion of the threshold result is that one dimensional quantum 
systems can exhibit a non trivial phase transition at a critical noise rate rjc, below which 
the mixing time of the system is exponential, but above which the system mixes rapidly. 
This phase transition might be different from the transition from classical to quantum 
behavior, or it might be the same. This existence of a one dimensional phase transition is 
interesting because one dimensional phase transitions are rare, also in classical systems, 
though there exist several complicated examples [152, 9£]. 

Perhaps a vague, but deeper, and more thought provoking question is that of the 
postulates of quantum mechanics. The possibility that the model will be realized will 
enable a thorough test of some of the more philosophical aspects of quantum theory, 
such as understanding the collapse of the wave function, the process of measurement, and 
other elements which are used as everyday tools in quantum algorithms. It might be that 
the realization of quantum computation will reveal the fact that what we understand in 
quantum physics is merely an approximation holding only for small number of particles, 
which we extrapolated to many particles. Such questions are appealing motivations for 
this extremely challenging task of realizing the quantum computation model physically. 
It seems that successes, and also failures, in achieving this ambitious task, will open new 
exciting paths and possibilities in both computer science and fundamental physics. 
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